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Preface 



This volume contains the papers presented at the Eighth International Con- 
ference on Logic for Programming, Artificial Intelligence and Reasoning (LPAR 
2001), held on December 3-7, 2001, at the University of Havana (Cuba), together 
with the Second International Workshop on Implementation of Logics. 

There were 112 submissions, of which 19 belonged to the special submis- 
sion category of experimental papers, intended to describe implementations or 
comparisons of systems, or experiments with systems. Each submission was re- 
viewed by at least three program committee members and an electronic program 
committee meeting was held via the Internet. The high number of submissions 
caused a large amount of work, and we are very grateful to the other 31 PC 
members for their efficiency and for the quality of their reviews and discussions. 

Finally, the committee decided to accept 40 papers in the theoretical cate- 
gory, and 9 experimental papers. In addition to the refereed papers, this volume 
contains an extended abstract of the invited talk by Frank Wolter. Two other 
invited lectures were given by Matthias Baaz and Manuel Hermenegildo. 

Apart from the program committee, we would also like to thank the other 
people who made LPAR 2001 possible: the additional referees; the Local Arran- 
gements Chair Luciano Garcia; Andres Navarro and Oscar Giiell, who ran the 
internet-based submission software and the program committee discussion soft- 
ware at the LSI Department lab in Barcelona; and Bill McCune, whose program 
committee management software was used. 
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Monodic Fragments of First-Order Temporal 
Logics: 2000—2001 A.D. 



Ian Hodkinson^, Frank Wolter^, and Michael Zakharyaschev^ 

^ Department of Computing, Imperial College, 

180 Queen’s Gate, London SW7 2BZ, U.K. 
imhSdoc .ic.ac.uk 

^ Institut fiir Informatik, Universitat Leipzig, 
Augustus-Platz 10-11, 04109 Leipzig, Germany 
wolter@inf ormatik . uni-leipzig . de 
® Department of Gomputer Science, King’s College, 

Strand, London WC2R 2LS, U.K. 
mz@dcs . kcl .ac.uk 



Abstract. The aim of this paper is to summarize and analyze some re- 
sults obtained in 2000-2001 about decidable and undecidable fragments 
of various first-order temporal logics, give some applications in the field 
of knowledge representation and reasoning, and attract the attention of 
the ‘temporal community’ to a number of interesting open problems. 



1 Introduction 



Temporal logic has found numerous applications in computer science, ranging 
from the traditional and well-developed fields of program specification and verifi- 
cation I45I4SI43J . temporal databases |S0I21I3I50I30| . and distributed and multi- 
agent systems m, to more recent uses in knowledge representation and rea- 
soning [bl7IU)l4hlb0j . This is true of both propositional and first-order temporal 
logic. However, the mainstream of theoretical studies in the discipline has mostly 
been restricted to the propositional case — witness the surveys [2SIM], or the 
two-volume monograph |28ld()J where only one chapter is devoted to first-order 
temporal logics. 

The reason for this seems clear. Though some axiomatizations of first-order 
temporal logics are known (e.g., HH! presents axiomatizations for first-order log- 
ics with Until and Since over the class of all linear flows and over the rationale), 
a series of incompleteness theorems |ll4l28ldll44l5dl54j . started by unpublished 
results of Scott and Lindstrom in the 1960s, show that many of the first-order 
temporal logics most useful in computer science are not even recursively enumer- 
able. But in contrast to classical first-order logic, where the early undecidability 
results of Turing and Church stimulated research and led to a rich and profound 
theory concerned with classifying fragments of first-order logic according to their 
decidability (see, e.g., m), for a long time there were few if any serious attempts 
to convert the ‘negative’ results in first-order temporal logic into a classification 
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problem. Apparently, the extremely weak expressive power of the temporal for- 
mulas required to prove undecidability left no hope that any useful decidable 
fragments located ‘between’ propositional and first-order temporal logics could 
ever be found. 

A certain breakthrough has been recently achieved in I3516T1 . where the so- 
called monadic fragment of first-order temporal and modal logics was shown 
to have much better computational behavior. In monodic formulas, the scope 
of temporal operators is restricted only to subformulas with at most one free 
variable. The idea to consider them came from knowledge representation, where 
a number of decidable description logics with modal, temporal, dynamic, and 
similar operators were constructed !4f)lf)l56l60J . It turned out that if these op- 
erators are applicable only to concepts (i.e., unary predicates) or subsumptions 
(closed formulas) of a decidable description logic, then the resulting hybrid logic 
is usually decidable as well; but applications of temporal operators to roles (i.e., 
binary predicates) lead to undecidable logics [S7] . 

The aim of this paper is to survey the rapidly growing body of results, ob- 
tained since 2000, about decidable and undecidable fragments of various first- 
order temporal logics. We will describe some applications in knowledge repre- 
sentation and reasoning. We also include some interesting open problems, which 
we hope will attract the attention of the ‘temporal community’ in both logic and 
computer science. 

2 First-Order Logics of Linear and Branching Time 

2.1 Linear Time 

Denote by QT C the first-order temporal language constructed in the standard 
way from the following alphabet: 

— predicate symbols Pq, Pi, . . . , each of which is of some fixed arity, 

— individual variables Xq, Xi, . . . , 

— individual constants Cq,Ci, , 

— the booleans A, 

— the universal quantifier Wx for each individual variable x, 

— the temporal operators S (Since) and W (Until). 

Note that the language contains neither equality nor function symbols. 

We will use the following standard abbreviations: 

3xif = -<\/x-<(p <>ptp = TUip 

Upif = ^Op^ip = (p f\Up(p 

0~^p = pW <>pp Q)p = HJp 

where T and T are the boolean constants ‘truth’ and ‘falsehood’, respectively. 
Thus, “Op can be read as ‘some time in the future’, dJ as ‘from now on’, and 
O as ‘at the next moment’ or ‘tomorrow’. 
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QT C is interpreted in first-order temporal models of the form D, I), 

where S' = (W, <) is a strict linear order representing the intended flow of time, 
D is a, non-empty set, the domain of DJI, and J is a function associating with 
every moment of time w £W & first-order structure 

the state of DJI at moment w. Here, for each i, is a predicate on D of the 

same arity as Pi (for a propositional variable Pi, the predicate is simply 

true or false), and is an element of D. We require that for any 

w,v G W — i.e., that constants are ‘rigid’. 

An assignment in D is a function a from the set var of individual variables to 
D. We extend a to constants via a(c) = for any w GW] this is well-defined. 
The truth-relation (dJl,w) (f (or simply w Lp, if dJl is understood) in the 
model 2H under the assignment a is now defined inductively in the usual way: 

— li; pfiyi, ...,ye) iff > <^{ye)) is Hue in J(w), where the yi 

are variables or constants; 

— w |=“ if Afi: iS w |=“ (fi and w |=“ ip] 

— ic -<ip iff w Ip] 

— ui |=“ \/xip iff rc Ip for every assignment b in D that may differ from a 
only on x] 

— w ipSip iff there is v < w such that v |=“ ip and u )=“ ip for every u in 

the interval {v,w) = {u gW : v < u < ic}; 

— w pUip iff there is v > w such that v |=“ ip and u (p for every 

u G (w, v). 

For a class T of strict linear orders, we let QTLifiF'), ‘the temporal logic of T\ 
denote the set of QT£- formulas that are true at all times in all models based 
on flows of time in T under all assignments. QTL fin{T) consists of the QT C- 
formulas that are valid in all models based on flows of time in T and having 
finite domains. 

Remark 1. In this paper we consider only models with constant domains. Satis- 
fiability in models with expanding domains is known to be reducible to satisfia- 
bility in models with constant domains; see, e.g., |61| . 

2.2 Branching Time 

There are a number of approaches to constructing temporal logics based on the 
branching time paradigm; see, e.g., |1bl2blb4l30) . Many of the resulting languages 
turn out to be fragments of the language we call here QVCTC* , quantified CT C* 
with past operators. It is obtained by extending the vocabulary of QT C with a 
unary path quantifier A, which can be applied to arbitrary formulas. We let E(/? 
abbreviate -</K-<Lp. 

Important sublanguages of QVCTC* are: 
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— QCT C* , that is QVCTC* without the past operator 5; 

— QCTC*p^ that is QCT C* in which the binary operator U is replaced with the 
unary operator □ p ‘always in the future’; 

— QVCTC, the fragment of QVCTC* in which the path quantifiers and tem- 
poral operators occur only in the form E{ijjihlip 2 ), E.(T’iS'ip 2 ), A(' 0 iZY^ 2 )) or 

A(V'i5i^2)- 

A tree is a strict partial order ^ = (W, <) such that for all w £ W, the set 
{v £W : V < rc} is well-ordered by <. A full branch of is a maximal linearly- 
ordered subset of W. An uj-tree is a tree whose full branches, ordered by <, are all 
order-isomorphic to (N, <). QVCTC* (as well as its sublanguages) is interpreted 
in structures of the form 971 = where ^ = (W,<) is an w-tree, H 

is a set (bundle) of full branches in ^ with [_}T-L = W, D is a non-empty set 
called the domain of 971, and I is again a function associating with every w £W 
a first-order structure I(w) with domain D. Constants are again rigid. We call 
97t a bundled tree model, and the branches in the bundle "H are called histories. 
In the case when TL contains all full branches in we say that 9Jl is a full tree 
model, or simply a tree model. 

Assignments a in Z7 are defined as in the linear case. The truth-relation 
(Tl,h,w) \=‘^ ip, for w G h G H (or simply (h,w) if 971 is understood), is 

defined as follows: 

— (h,w) Pj(yi, ... ,y^) iff P- ^'^\a(yi) , . . .,a(yi)) is true in I(w), where the 
t/i are variables or constants; 

— (h,w) iff (h,w) 1=^ Ip for every assignment b in Z7 that may differ 

from a only on x; 

— (h,w) (fStp iff there is v < w such that (h,v) |=“ if and (h,u) [=“ (p for 
every u G (v,w); 

— (h, w) ipUfi iff there isv G h such that v > w, (h, v) |=“ ip and (h, u) (p 
for every u G (w,v); 

— (h, w) Alp iff for all h' G H such that w G h' we have (h', w) pj, 

plus the standard clauses for the booleans. 

For any of the branching time languages C introduced above, denote by BL 
(L) the set of all £-formulas that are true at all points in all histories under every 
assignment in every bundled (respectively, full) tree model. Thus, BQPCTL* 
is the set of QVCT C* -for maf as valid in bundled tree models, while QPCTL* is 
the set of QVCT C*-iorrmx\as valid in all tree models. 

Remark 2. The logic BQPCTL* is the first-order version of bundled Ockhamist 
logic; cf. e.g. m- In the computer science literature, QCTC* often denotes 
only the set of state (i.e., history-independent) QCTC* -formulas. However, this 
makes no difference as far as decidability is concerned, because a path (history- 
dependent) formula ip is satisfiable iff the state formula Ep is satisfiable. 

Satisfiability in bundled tree models can be reduced to satisfiability in full 
tree models. Indeed, given a QPCT£* -formula p, let g be a propositional variable 
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not occurring in Lp, and denote by the result of replacing each subformula of 
p of the form /Ktp by 

A(O^Di7’(j' — ^ ■0). 

Then we have the following: 

Proposition 1 ( [36J b p is satisfiable in a bundled tree model iff EO p^pq^p^ 
is satisfiable in a full tree model. 

Example [U in Section I, '1.21 illustrates the difference between satisfiability in 
bundled and full tree models. 

3 Who Needs Decidable First-Order Temporal Logics? 

As was mentioned in the introduction, temporal logic has a wide range of appli- 
cations in various fields of computer science and artificial intelligence. Here we 
give just two examples from knowledge representation in AI, where the standard 
requirements of KR formalisms are effectiveness and practical implementability. 
We show how to embed the KR systems into first-order temporal logic; this will 
be used in Section 0 to obtain decidability results. 

3.1 Temporal Description Logics 

Classical description logic is a family of KR formalisms intended for dealing with 
conceptual knowledge about static application domains (see, e.g., m and refer- 
ences therein) . In a description logic, knowledge is represented by means of sub- 
sumption relations between complex concepts and instance assertions between 
objects and concepts. For example, in the logic ALC of [M], complex concepts 
are composed from a countably infinite set Ai, A2, . . . of atomic concepts (unary 
predicates) by means of the boolean operators FI and -1 and the quantifiers Vi? 
and BR, where i? is a role name (binary predicate) from a countably infinite set 
of role names. Concepts are evaluated in A£C-models 

where Z\ is a non-empty set, the Aj are subsets of A, the R{ subsets of Z\ x A, 
and the a\ are members of A interpreting the object names Oi of ACC. The 
value of a complex concept C is defined inductively, the only non-trivial 
clause being the following: 

- {BR.Cy = {x&A-. 3 y&A {xR^y AyG C^}. 

We say that Ci subsumes C2 in i, J |= Ci C C2 in symbols, if C{ C C|. We say 
that an object name a is an instance of C in /, / |= a : C in symbols, if G Cfi 
For example, the subsumption 



Person □ dlivesJn. Bavaria C Person □ Vdrinks.Beer 
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says that every person living in Bavaria drinks only beer, while the assertion 

John : ddrinks. Whiskey 

claims that John drinks whiskey (and possibly some other liquids). 

To represent dynamic conceptual knowledge bases, description logics have 
been extended by means of temporal operators; see, e.g., |49I9I60I7| . On the 
semantical level, such an extension is quite straightforward. Models for temporal 
description logics are obtained from first-order temporal models by taking / to be 
a function associating with every time point w G W not a first-order model but 
an M£C-model I{w) = (^A, . . . , . . . , . . .^, where 

for all v,w € W. 

On the syntactic side, we can obtain a hierarchy of temporalized description 
logics by allowing applications of temporal operators to various syntactic entities 
of AjCC. We can apply them to concepts, as in 

Ordered.object COO Delivered .object 

(‘each ordered object will be delivered in two days’), or 

Mortal = Living.being □ (Living.being U □iT’-'Living.being) 

(‘mortals are living beings which eventually die’). We can also apply them to 
subsumption relations, as in 

□ pOi7’-'(Living_being C J_) 

(‘living beings will never die out completely’). If time is branching, we can also 
say 

ECj’(Ordered_object C ODelivered.object) 

(‘it is possible that every ordered object is always delivered in one day’), or 

Ordered .object C A Q Delivered.object 

(‘an ordered object must be delivered the next day’). 

The maximal language WCT C* {Q for ‘quantified’ is replaced by V for 
‘description’) that we consider in this paper allows applications of the temporal 
operators and path quantifiers to both concepts and subsumption relations^ 
More precisely, if C and D are concepts then CUD, CSD, EC and AC are also 
concepts. Atomic 2JPCT/i*-formulas are of the form a : C, aRb, and CCD, 
where C, D are 2JPCT/i*-concepts, i? is a role name, and a, b are object names. 
Complex formulas are composed from atomic ones using the booleans, S, U, 
and A. 

The semantics of WCTC* should be clear. First, given a bundled tree model 
971 = {^,'H,A,I), we define the extension of a concept C relative to a 

history h and a moment w in h. This is done by induction as follows (we list 
only the interesting clauses) : 

^ We could, of course, allow for temporalized roles as well. However, the obtained 
temporal description logics would be undecidable; see | 60 | for more information. 
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_ ^ concept names A\ 

- = {x&A-.3y A y S 

- X G iff there exists v G h such that w < v, x G and 

X G for all u G {w, v); 

- X G iff there exists h' gT-L such that w G h' and x G 

The truth-relation (DJI, h,w) |= (or (h, w) \= Lp for short) is now defined as in 
the first-order case. We give only the truth-conditions for atomic formulas: 

- (h,w) h Cl E C2 iff C 

- (/i, w) h a : C iff aC*") e 

- (h,w) [= aRbiS 

The other temporal description logics we are interested in are fragments of 
WCTC* . For example, VT C is the linear time fragment of WCTC* obtained 
by omitting the path quantifiers. VCTCp is the future fragment of WCTC* in 
which lA is replaced with Dp. 'WCTC is obtained by restricting the application 
of temporal operators and path quantifiers to concepts and formulas by allowing 
only the patterns A(Eil4 E 2 ) , E(EiU E 2 ) , A(EiS E 2 ) , and E(£'i5i?2). 

All these logics can be regarded as fragments of first-order temporal logic 
having the object names a,b, . . . as their constants. Indeed, fix two different 
individual variables, say, x, y. The translation Rf of a role name Ri is the formula 
R(x, y) with two free variables x, y. The translation (7^ of a concept (7 is a 
formula with one free variable x defined by taking 

Af = A(x) i^Cf = -C^ 

(C n Df = c'^ A D'^ (CiUC 2 f = C[ucj 

(3R.Cf = 3y (R^ A C^{y/x}) (ACf = AC^ 

and similarly for S and E. The translation (p^ of a 'D'PCTC* -fornmla, is a 

sentence defined as follows: 

(C r Df = 'ix (C^ ^ D'^) (a : Cf = C'^{a/x} 

(aRb)"'- = iT" {a/ x,b/y} (ip A A , 

(wf = W^ (Ap>f = Ap^ 

and similarly for the other temporal operators. It is readily checked that a 
'D'PCTC*Aoi'umla. ip is satisfiable iff its first-order translation ip"’' is satisfiable. 

3.2 Spatio-Temporal Logics 

Our second example is a family of logics devised in for qualitative rep- 

resentation and reasoning about spatial regions moving in time. The logics are 
obtained by combining (propositional) temporal logics with the region connec- 
tion calculus RCC-8. 
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Recall that RCC-8 contains eight binary relations between regions in topo- 
logical spaces: DC (disconnection), EQ (equality), PO (partial overlap), EC (ex- 
ternal connection), TTP (tangential proper part), NTTP (non-tangential proper 
part), and the inverses of the last two. Boolean operations are allowed on these 
relations. See, e.g., I47I24I25I11I58I . 

The intended semantics of RCC-8 is as follows. Region variables X,Y,... 
are interpreted as regular closed sets in a topological space {T, I) . Here, I is 
the interior operator on the universe T, and C is the corresponding closure 
operator. A regular closed set S C T is one satisfying S = CIS. Given such an 
interpretation (or assignment) of the region variables, we then put 



DC(A, F) 


iff 


EQ(A,F) 


iff 


PO(A,F) 


iff 


EC(A,F) 


iff 


TPP(A,F) 


iff 


TPPi(A,F) 


iff 


NTPP(A,F) 


iff 


NTPPi(A, F) 


iff 



-•3a: X € X flY, 

Vx {x € X X € Y), 

3a; {x G IX n IF) A 3a; (a; G IX Cl —Y) A 3a; (a; G —X Cl IF), 

3a; (a; G A n F) A ~<3x (x G IX Cl IF), 

Va; (a; G —X U F) A 3a; (a; G A Cl —IF) A 3a; (a; G —A Cl F), 

TPP(F,A), 

Va; (a; G —A U IF) A 3a; (x G —A Cl F), 

NTPP(F, A). 



The maximal spatio-temporal language SVCTC* {S for ‘spatial’) that we 
consider in this paper is defined as follows. Region terms are constructed from 
region variables by means of the boolean operators, S, U, and A. Atomic formulas 
are of the form R{ti,t 2 ), where ti,t 2 are region terms and R an RCC-8 relation. 
Complex formulas are constructed from atomic ones using the booleans, S, U, 
and A. (E continues to abbreviate ^A->.) In this language, we can speak about 
the temporal development of relations between regions, as in 



EUpYPP{Kosovo, Yugoslavia) A E Q EC(Aosowo, Yugoslavia) 

(‘it is possible that Kosovo will always be part of Yugoslavia and also possible 
that already in one year Kosovo will be a neighbor of Yugoslavia’). We can also 
speak about the dynamics of regions themselves. For example, 

□ f (NTPP(AC7, QEU) V TPP( AG, QEU )) , 

interpreted in discrete flows of time, means that the EU will never contract. As 
an example of a more complex statement, consider 



DC (Russia S Russiau-Empire, Russia S Germany), 



which can be used to say that the part of Russia that has remained Russian 
since 1917 is not connected to the part of Germany (Konigsberg) that became 
Russian after the Second World War. 

Models for SVCTC* are obtained from first-order temporal models by asso- 
ciating via / with every moment w not a first-order structure but a topological 
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space together with an assignment for the region variables. Thus, I{w) is a 

triple of the form (T, I, ai„), where maps each region variable X to a regular 

closed subset of T. (Note that region variables are not rigid.) 

Now define the value of a region term t relative to a history h and a 

moment w G h, as follows (we list only some clauses): 

= aUX), 

(ti n ^ 2 )"^"^’“^ = €1(4^'*’“) n 4^"^’“^), 

= CI{x :3v>w(v€h Ax € A Vtt G {w, v) x € 

= ci{x : 3/i' G -H (rc G /i' A a; G 

The right-hand side is always prefixed by Cl because spatial regions are inter- 
preted as regular closed sets. 

The truth-relation (h,w) ^ is now defined in the obvious manner. For 
example, (h,w) ^ DC(ti,t 2 ) iff ^ 2 ^^’™^) holds in (T,I). 

Example 1. Let ip be the conjunction of the following three SVCTC* -iovmxAas'. 

P{Kosovo, Yugoslavia) 

!\<> pUp£.Q.[Kosovo, Yugoslavia) 

kOp{P [Kosovo, Yugoslavia) — >■ E Q P[Kosovo, Yugoslavia)) 

The first formula means that at present Kosovo is part of Yugoslavia. The second 
says that in all possible histories, there’ll be a time starting from which Kosovo 
will be externally connected to Yugoslavia. And the last formula claims that in 
all possible histories, it is always the case that if Kosovo is part of Yugoslavia 
then it is still possible that it will remain in Yugoslavia at least one more day. 
Clearly, tp is satisfiable in a bundled tree model but not in a full tree model. 

Consider the following fragments of SVCTC*'- 

— SCT C*p — the fragment without past operators and with ni? instead of U-, 

— SCT C*Q — the fragment without past operators in which region terms are 
constructed using the booleans and Q only; 

— ST C — the fragment of SVCTC* without path quantifiers; 

— ST Cq — the fragment of ST C in which region terms are constructed using 
the boolean operators and Q- 

It is not clear whether the full language SVCTC* or its ‘linear fragment’ ST C 
can be embedded into first-order temporal logics, because we have to deal with 
arbitrary topological spaces and infinite intersections and unions of sets. How- 
ever, in some cases topological spaces induced by rather simple Kripke frames 
are enough. This is so for the languages SCTCq and ST Cq. As for SVCTC* 
and ST C, in many applications it is sufficient to consider satisfiability in models 
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where every region can have only finitely many states — the so-called FSA-models. 
(FSA stands for the ‘finite state assumption’.) In all these cases, the satisfiability 
problem for spatio-temporal formulas can be (polynomially) reduced to satisfi- 
ability of first-order temporal formulas with only one individual variable. This 
(rather non-trivial) reduction can be found in | 62I29| . 

4 Natural Borders of Decidability 

The following theorems indicate some limits beyond which one cannot hope to 
find decidable fragments of first-order temporal logics. 

Given a first-order temporal language TC and £< tv, we denote by T 
the £-variahle fragment oil~ C (i.e., every formula in 'T contains at most £ 
distinct individual variables) . And by T we denote the monadic fragment of 
TC (i.e., the set of formulas which contain only unary predicates and proposi- 
tional variables). Both the two- variable and the monadic fragments of classical 
(non-temporal) first-order logic are known to be decidable and have the finite 
model property; see m and references therein. The computational behavior of 
the corresponding fragments of first-order temporal logics turns out to be quite 
different. 

Theorem 1 (|35jl. Let ^ be either {{N, <)} or{(Z, <)}. Then 

QTC^ n or C^° n QTLifS) 

is not recursively enumerable. 

Theorem 2 ( f35] ). Let J- be one of the following classes of temporal frames: 
{(N, <)}, {(Z, <)}, the class of all strict linear orders. Then 

QTC^ n QTC^° n QTLfU^) 

is not recursively enumerable. 

Another well-behaved fragment of classical predicate logic is the guarded 
fragment of |5]. The corresponding fragment TQT of first-order temporal logic 
is the smallest set of QPCTT* -formulas such that: 

— every atomic formula is in TQT] 

— 'll gy and if are in TQT, then so are ip Aif, ~<p, pSif, ptiif, and A(/j; 

— if a;, y are tuples of variables, G{x,y) is an atomic formula, p{x,y) € TQT, 
and every free variable occurring in pix, y) occurs in G(x, y) as well, then 
Vy(G(x,y) -)> p{x,y)) is in TQT. 

The set T QT is called the guarded fragment of the first-order temporal language. 
Again in contrast to the case of classical predicate logic, we have the following: 

Theorems ([IS5jf. Let € |(N. <) . (Z. <)}. Then QTL{^) (1 QTC^ (iTQT is 
not recursively enumerable. 
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The computational behavior of branching time logics is even worse: 

Theorem 4 ([I36|). The one-variable fragments ofQCTLp andBQCTUf are 
undecidahle. 



Remark 3. A more general version of this result can be formulated in terms of 
products of propositional modal logics; see [2S] and references therein. Namely, 
there is no decidable set L of formulas such that 

K X CTL^ C L C S5 X CTL*p. 

The same holds for the propositional bundled case as well. 



Problem 1. Which fragments of BQPCTL* and QPCTL* are recursively enu- 
merable? 



5 Decidable Fragments 

The negative results of the previous section can be ‘explained’ by the fact that 
all the undecidable fragments there are in a sense ‘three-dimensional’, which is 
often a cause of bad computational properties. The three-variable fragment of 
classical first-order logic is undecidable even without equality [41], and products 
of three propositional modal logics are usually undecidable [34]. In Theorems [TJ 
[2] and [3] the linear time operator lA can be applied to formulas with two free 
variables, and so we can quantify in three ‘dimensions’: one temporal and two 
domain. In Theorem[4]we also have quantification in three dimensions: temporal 
operators, path quantifiers and the domain quantification. 

The following definition of [35I6T1 suggests a way to avoid this kind of inter- 
action. 

Definition 1 (monodic formulas). Let QVCT C\ be the set of all QPCTC*- 
formulas ip such that any subformula of ip of the form 'ipiU'ijj 2 , ipiS'ip 2 -, or Aif has 
at most one free variable. Such formulas ip will be called monodic. In other words, 
monodic formulas allow quantification into temporal contexts only with one free 
variable. QPCTCi, QTCi, and TQT\ denote the corresponding fragments of 
QVCTC, QTC, and TQT respectively. 

Of course the monodic fragments of the logics under consideration are still 
undecidable, simply because they contain full first-order logic. However, the 
monodic fragments of QTL((N, <)) and QTL((Z, <)) become recursively enu- 
merable: see |H3| for axiomatizations. 

Problem 2. Are the monodic fragments of other temporal logics considered in 
this paper (finitely) axiomatizable — in particular, the monodic fragments of 
QCTL and QPCTL*1 
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We now provide some general conditions under which fragments of the mono- 
dic temporal logics are decidable. To simplify presentation, we will assume that 
our languages contain no individual constants. 

Fix a QVCT C\-ior mala. tp. Denote by suhip the closure under (single) nega- 
tion of the set of all subformulas of ip that contain at most one free variable. Let 
X be a variable not occurring in p. Put 

subxP = {i>{x/y} : i>{y) € subip}. 

By a type for p we mean any boolean-saturated subset t of sub^p- that is, 

— ^/’AxStiff'i/i’Gt and x G t, for every -ip Ax ^ subxP] 

— “'V' € t iff '0 ^ t, for every -i-ip S sub^p- 

For every QVCTC\-iovm\x\& ip{x) starting with U, S, or A, and having one 
free variable x, we reserve a unary predicate (x) . Similarly, for every sentence 

Ip of this form we fix a propositional variable p^. These predicates and variables 
are called the surrogates of the original formulas. We denote by p the result of 
replacing in p all its subformulas starting with U, S, or A by their surrogates. 
Thus, ^ is a formula of classical first-order logic. For a i^-type t, we write t for 
{ip : Ip £ t}; we identify t with its conjunction f\t. 

A set S of (^-types is called (finitely) realizable if the sentence 

as = /\ 

tes tes 

is satisfiable (in a finite model) . 

Theorem 5 (criterion 1: linear case [35] i. Let C C QTCi. 

(i) Let T be any of the following classes of flows of time: 

— {(N,<)}, 

— {(z,<)L 

— {(Q,<)}, 

— the class of all finite strict linear orders, 

— any first- order- definable class of strict linear orders. 

Suppose there is an algorithm that decides for any C' -formula p whether an 
arbitrarily-given set of p-types is realizable. Then the satisfiability problem for 
C -sentences in models based on flows of time in T is decidable. 

(ii) Let range over the classes of flows of time above and {(M, <)}, and 
suppose that finite realizability is decidable for sets of types of formulas in CJ . 
Then the satisfiability problem for C' -sentences in models based on flows of time 
in T and having finite domains is decidable. 

The proof of part (i) of the theorem uses quasimodels. A quasimodel of p 
over a flow of time = {W, <) consists of an assignment of a realizable set of 
types Sw to each w G W, the sequence (Sw : w G W) having certain specified 
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properties. The existence of a quasimodel for ip can be expressed by a sentence 
fJip of monadic second-order logic, which can be effectively constructed from p 
so long as it is decidable whether an arbitrary set of v?- types is realizable. It 
is shown that p is satisfiable in a model with flow of time ^ iff there exists a 
quasimodel for cp over Thus, p has a model with flow of time 5^ iff 5^ |= cr,^. If 
^ is {(N, <)}, {(Z, <)}, or {(Q, <)}, this last statement is decidable by results 
of | |15I46| . The other cases can now be obtained by reduction. Part (ii) is proved 
differently, since the full monadic second-order theory of (R, <) is undecidable. 
The proof adapts the argument of the second part of m : see [S5| for details. 

As a consequence of TheoremElwe obtain, for example, the following results, 
where T and have the same meaning as above. 



Theorem 6. The following fragments are decidable: 



QTL{T) n 
QTL{T) n QTCl, 
QTL{T) n QTCf^°, 
QTL{J^)nTGJ^i, 



QTLfU^+)^QTC\ 

QTLf,^{T+)nQTCr, 

QTLfU^+)mgTi. 



The corresponding loosely guarded and fluted fragments are decidable as well 
(for definitions see [HT]). 

Problem 3. Does Theorem El hold for (5TL((R, <))? 



Problem 4- What is the computational complexity of the decision problem for 
the above fragments as well as other decidable fragments mentioned in this 
paper? 

It follows from the proof of Theorem in for the flow of time (N, <) 
that QTL((N, <)) fl £' is in EXPSPACE whenever the problem of whether a 
set of (/j-types, for an £'-formula p, is realizable is decidable in EXPSPACE 
(in the length of p). Conversely, it is proved in that QrL((N, <)) fl QT 
is EXPSPACE-hard. It follows, for example, that the satisfiability problem for 
QT£("°-formulas in models based on (N, <) is EXPSPACE-complete. 

According to Theorem [3 the results above do not generalize to QVCTC* , 
since already the one- variable fragment of QCT Cp is undecidable. However, as 
soon as we restrict ourselves to QVCTC, we obtain the following: 

Theorem 7 (criterion 2: branching case j3’61)- Let C C QfPCT C\ and 

suppose that there is an algorithm that decides for any C -formula p whether an 
arbitrarily-given set of p-types is realizable. Then satisfiability of C' -formulas is 
decidable for both bundled and full tree models. 

The proof is again via quasimodels and embedding into monadic second-order 
logic. 

As a consequence we obtain 
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Theorem 8. The fragments 

QPCTL n QVCTCl, QPCTL n QVCTCf'°, QPCTL n TGTi, 

as well as their bundled versions are decidable. 

Another way to obtain decidable fragments in the branching time case is to 
restrict further the formulas that can have free variables. Denote by QCT Cq 
the fragment of QCT C\ in which only Q may be applied to formulas with one 
free variable (the other operators U, E and A may be applied only to sentences). 
Then we have: 

Theorem 9 (criterion 3: branching case [36J ). Let C C QCT Cq and sup- 
pose that there is an algorithm that decides for any C' -formula ip whether an 
arbitrarily- given set of ip -types is realizable. Then satisfiability of C' -formulas in 
bundled trees models is decidable. 

Here the proof uses quasimodels and a mosaic technique. 

Therefore, we also obtain 

Theorem 10. The fragments 

BQCTL* r\{QCTC*Qf, BQCTL*n{QCTC*Q)'^°, BQCTL* nTGTQ 
are decidable. 

Problem 5. Does Theorem [TOl hold for the unbundled case? 

Problem 6. Are there any interesting languages between QCTCq and QCT C* 
for which Theorem HUlholds? In particular, does it hold for the fragment of those 
QCTT*-formulas in which lA can be applied to formulas with one free variable 
but A only to closed formulas? Does it hold for the fragment of those QCT C* - 
formulas in which Q E can be applied to formulas with one free variable 
but U only to closed formulas? 

6 Adding Equality 

So far we have considered first-order temporal languages without equality and 
function symbols. A natural question is whether our decidability results con- 
cerning the class of monodic formulas can be generalized to the languages with 
these ingredients. 

It is not hard to see (cf. [53]) that adding function symbols quickly destroys 
the nice properties of monodic formulas. For example, the set of one- variable 
formulas with one function symbol that are valid in models based on (N, <) is 
not recursively enumerable. 

Let us now consider the language QT C extended with equality (but not func- 
tion symbols). This language will be denoted by QT C~ . The following negative 
result can be proved by reduction of the validity problem for first-order formulas 
in finite structures. 



Monodic Fragments of First-Order Temporal Logics: 2000-2001 A.D. 



15 



Theorem 11 ( [61] h The set of monodic QT C -formulas that are valid in all 
temporal models based on (N, <) is not recursively enumerable, and so not re- 
cursively axiomatizable. 

Recently, this result was generalized to fragments that are decidable without 
equality: 

Theorem 12 ([22]). The set of two-variable monadic formulas in QTCi that 
are valid in models based on (N, <) is not recursively enumerable. 

The guarded fragment (and extensions like the loosely guarded, packed, and 
clique-guarded [SSI fragments) are more robust under addition of equality: 

Theorem 13 ([37]). QTL={T) n QT£i n TQT and QTLj^^{T+) n QT£i n 
TQT are decidable, where T,T^ are as in theorem\^ 

The reason for this robustness is that the models of guarded sentences are 
closed under disjoint unions. The same property was used in |60| to show that 
various temporalized description logics with number restrictions and nominals 
are decidable. 

7 Applications 

The results obtained for monodic fragments of first-order temporal logics can be 
applied to both temporal description logics and spatio-temporal logics. 

7.1 Temporal Description Logics 

Observe that the translation (defined in Section EJ) of any T>T £-formula 
lies in the two-variable fragment of the monodic fragment of Hence, we 

obtain the following results; cf. m- 

Theorem 14. Suppose that if is a class of strict linear orders. If satisfiability 
of QT Cl n QT C^ -formulas in models based on flows of time in T is decidable, 
then satisfiability of 'Dl' C-formulas in T is decidable as well. 

This decidability result extends to temporalized description logics based on 
more expressive description logics than ACC. For example, one can take instead 
of ACC the description logic CX corresponding to propositional dynamic logic 
with converse (see m) or the description logic VCTZ of m which contains n- 
ary roles. The resulting temporalized description logics are suitable for temporal 
conceptual modelling [H]. 

The situation is quite different in the branching case. One can show (see 
m for details) that the one- variable fragment of QCTCp is embeddable into 
VCTC*p. Hence we obtain from Theorem ID 

^ Note that we would not obtain monodic formulas if temporal operators were applied 
to roles. This is another explanation of the bad behavior of temporal description 
logics with temporalized roles. 
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Theorem 15. Satisfiability of 'DCT C*p- formulas is undecidahle both in bundled 
and full Lo-trees. 

To obtain positive results in the branching case, we can employ Theorem |H1 
The translation ip'^ of any PPCTT- formula (p belongs to QVCT C\ fl QVCTC^. 
So we have: 

Theorem 16. Satisfiability of 'D'PCT C-formulas is decidable both in bundled 
and full oj-trees. 

7.2 Spatio-Temporal Logics 

We now apply the results about first-order temporal logics to spatio-temporal 
logics. Consider first the linear case. 

Theorem 17 f [59] L Suppose satisfiability of the one-variable fragment of QT C 
in the class T of linear flows of time is decidable. Then satisfiability of ST Cq- 
formulas in T is decidable. 



Problem 7. Is the satisfiability problem for arbitrary iSTT- formulas in models 
based on (N, <) and other flows of time decidable? 

The difficulty here is that the application of temporal operators different from 
O corresponds on the semantic side to possibly infinite intersections and unions 
of sets. These are not respected by the embeddings into first-order temporal 
logics. However, as far as we are satisfied with FS A- models (in which each region 
may have only finitely many states), we can reduce the satisfiability problem to 
satisfiablity of one- variable first-order formulas in models with finite domains. 
We then obtain: 

Theorem 18 ([62]). Suppose that satisfiability of the one-variable fragment of 
QT C in models based on flows of time from a class T and having finite domains 
is decidable. Then satisfiability of ST C-formulas in FSA-models based onflows 
of time in T is decidable as well. This applies, in particilar, to all classes 
mentioned in Theorem, (ii). 

The branching case is again different because we can encode the one- variable 
fragment of QCTC*p in SCTCp, even if we confine ourselves to discrete topolog- 
ical spaces. Thus we obtain from Theorem j4] 

Theorem 19 f [36] L Satisfiability of SCTC*p- formulas is undecidable for both 
bundled and full co-trees, even for models based on discrete topological spaces. 

SCTCq can be embedded into the one- variable fragment of QCTCq. So we 
obtain from Theorem [TOt 

Theorem 20 f [36] L Satisfiability of SCTCQ-formulas in bundled co-trees is 
decidable. 
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8 Practical Reasoning Algorithms 

Two kinds of ‘practical’ algorithms have been proposed for logics related to 
monodic fragments of first-order temporal logics. |lr2ITn| develop tableau-based 
decision procedures for temporal description logics which combine standard 
tableaux for description logics with Wolper’s tableau for propositional tem- 
poral logic. An interesting aspect of those tableau calculi is that they are based 
on the same idea as the model-theoretic decidability proofs. Instead of con- 
structing models directly, they construct quasimodels in which the states are 
locally saturated sets of (partial) types. A tableau calculus for temporal de- 
scription logics with expanding domains is implemented in 1321 . Those algo- 
rithms are easily modified to obtain an algorithm deciding the future-fragment 
of QTL{{N,<))nQTC\ 

The second approach employs the resolution method. |23] provides a clausal 
temporal resolution calculus which is complete for those formulas of the future 
fragment of QTL{{N, <)) fl QT C\ in which only Q is applied to open formulas 
(other temporal operators may be applied only to sentences). 



9 Expressive Completeness 

The temporal language QT C provides only ‘implicit’ access to time. Quantifi- 
cation over points in time in the sense of first-order logic is not permitted, and 
the only means of expressing temporal properties is by the operators Since and 
Until. A common alternative is to reason about time explicitly, using first-order 
logic. Following this approach in the propositional case yields monadic first-order 
logic interpreted in strict linear orders, while in the predicate case it leads to a 
two-sorted first-order language, called ‘T5’ in what follows, one sort of which 
refers to points in time and the other to the first-order domain (see, e.g., |2I31 

mm)- 

The alphabet of T5 consists of: 

— an infinite set of individual variables xq,xi,..., and a set of constants 
Co , Cl , . . . of domain sort , 

— an infinite set of individual variables to,ti, . . . of temporal sort, 

— the binary predicate symbol < of sort ‘temporal x temporal’, 

— predicate symbols Pq,Pi, ... of sort ‘temporal x domain"’, n <uj. 

Formulas oiPS are defined inductively: 

— ti < tj is an (atomic) formula, for temporal variables ti, tj-, 

— P{t, 2 / 1 , ... , Un) is an (atomic) formula, for a predicate symbol P of sort tem- 
poral X domain", a temporal variable t, and domain variables or constants 

Vl 1 Un-i 

— 'll ip and tp are formulas and u is a (temporal or domain) variable, then ->ip, 
if A -ip, and Wvip are formulas. 
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T S is interpreted in standard first-order temporal models D, I), where 

^ = {W, <) is a flow of time (i.e., a strict linear order), I? is a non-empty set, 
the domain of 2Jl, and / is a function associating with every moment of time 
w £W & first-order structure 

in which, for each i, is a predicate on D of arity n whenever Pi is of arity 

n -I- 1, and G D. We require again that ^ for all w, w' G W. 

An assignment in 9Jt is a function a = ai U a2 such that ai associates with 
every temporal variable t a moment of time ai(t) G W and 02 associates with 
every domain variable x an element 02(3;) of D. We extend a canonically to 
constants as before. 

The truth relation |=“ 1 ^ is defined inductively as follows: 



- ti < tj iff ai{U) < 

- 971 P{t,yi,- ■■,yn) iff (^ 2 ( 2 / 1 ), ■ • ■ , 0 . 2 {yn)) G pP°^P^\ for any constants 
or domain variables yi, . . . , j/„; 

— the standard clauses for the booleans; 

— 971 |=“ Mvip iff 97t 1=*' V? for every assignment b that may differ from a only 
on V. 

It should be clear that the temporal operators U and S of QT C are express- 
ible in T5. Formally, suppose that each n-ary predicate symbol Qi of QT C is 
associated with the (n -I- l)-ary predicate symbol Pi of TS. Also fix a temporal 
variable t. Define a translation f from QT C into TS hy taking 

Qi{xi, . . . ,X„)i = Pi{t,Xi, . . .,Xn), 

{(fi A 'tp)^ = ip^ 

(ixip)^ = 'ix(ip^), 

= 3t'{t <t' A ifiHt'/t} A Vt"(t < t" <t' ^ 

= 3t'{t' < t A ifiHt'/t} A <t" <t^ 

where t' and t" are new temporal variables. 

The meaning of the translation f can be explained as follows. Suppose that 
97t = (5^, 77, /) is a T5-model and that a = ai U 02 is an assignment in 971. Let 
97 = (5^, 77, J) be a QT£-model, and b an assignment in 97. We say that (977, a) 
and (97, b) are equivalent if pA™) _ for all w, i, and a 2 = b. 

Lemma 1. Suppose that (977, a) and (97, b) are equivalent. Then for every QT C- 
formula tp, we have (97, a(t)) \=^ p *j(f 977 |=“ . 



The proof is an easy induction on p. 
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On the other hand, there are T5-formulas that are not expressible in QT C 
over any interesting class of flows of time. For example, the T5-sentence 

3ti3t2{ti < O O P{t2,x))) 

cannot be expressed in QT C over the flow of time (Q, <), nor over the class of 
finite linear flows I3TO1 . Recall that in the propositional case, both languages 
are known to have the same expressive power over most classes of flows of time — 
i.e., the temporal propositional language is expressively complete, see | |38I28| . It 
turns out, however, that QT C and QT C\ are expressively complete for some 
natural fragments of PS. 

Definition 2. Let PSu (respectively, PSi^) consist of all PS-formulas tp with 
no subformulas of the form ^xif (Vt'0) where ip has more than one free temporal 
(respectively, domain) variable. LetPSi = TSu C\PSix. 

Note that for every formula ip, we have ip'' £ PSu, and for every 

ip G QT Cl we have ip'^ G TS\. 

Let .7^ be a class of flows of time, C C QT C, and C C TS. We say that 
C is expressively complete for C" over T if for every ip G C!' with at most one 
free temporal variable, there exists a formula (p & C such that (^)l and p are 
equivalent in all models based on flows of time in T . 

Theorem 21 ( [35j l. Let T be the class of all dedekind- complete linear flows 
of time {T contains, for example, (N, <), (Z, <), (R, <), and all finite linear 
orders). Then 

1. QT C is expressively complete for TS u over T, 

2. QT C\ is expressively complete for TS i over T. 

The proof uses Kamp’s theorem ([3H!; see also m chapters 9-12]) that the 
propositional temporal logic with S and U is expressively complete for monadic 
first-order logic over T . The required p can be constructed effectively from p. 

For a class % of flows of time, denote by TS{'H) the set of all T5-sentences 
that are true in all models based on frames in TL, and by TSfin{TL) the set of 
T iS-sentences true in all models based on frames in Tl and having finite domains. 
Given a set QT C C QT C\, let 

TS' = {(^ G T5i : ^ G QTC!}, 

where p is as above. Since p can be constructed effectively from p, by Lemma H] 
and Theorem [5T] we obtain the following: 

Theorem 22. Suppose that every ^ G H be dedekind- complete, and let QT C C 
QT C\. Lf the fragment QTL{'H)r\QTC' is decidable, then the fragment TS{'H)n 
TS' is decidable. Lf the fragment QTLfin{TL) fl QT C is decidable, then the 
fragment TSfin{TL) OTS' is decidable. 

This can be combined with Theorem]^ to obtain decidable fragments of TS. 
Problem 8. Extend the above results to cover branching time. 

See [28] for information about expressive completeness for propositional temporal 
logics over branching time. 
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Abstract. Bounded model checking methodologies check the correctness of a sys- 
tem with respect to a given specification by examining computations of a bounded 
length. Results from set-theoretic topology imply that sets in 27“ that are both 
open and closed (clopen sets) are precisely hounded sets: membership of a word 
in a clopen set can be determined by examining a bounded prefix of it. Clopen 
sets correspond to specifications that are both safety and co-safety. In this paper 
we study bounded specifications from this perspective. We consider both the lin- 
ear and the branching frameworks. In the linear framework, we show that when 
clopen specifications are given by word automata or temporal logic formulas, we 
can identify a bound and translate the specification to hounded formalisms such as 
cycle-free automata and bounded LTL. In the branching framework, we show that 
while clopen sets of trees with infinite branching degrees may not be bounded, we 
can extend the results from the linear framework to clopen specifications given by 
tree automata or temporal logic formulas, even for trees with infinite branching 
degrees. There, we can identify a bound and translate clopen specifications to 
cycle-free automata and modal logic. Finally, we show how our results imply that 
the bottom levels of the /i-calculus hierarchy coalesce. 



1 Introduction 

Today’s rapid development of complex and safety-critical systems requires reliable ver- 
ification methods. In model checking, we verify that a system meets a desired property 
hy checking that a mathematical model of the system meets a formal specification that 
describes the property ICGP991 . For example, we can view computations of a nontermi- 
nating system S as infinite words over an alphabet S (typically, S = 2^^, where AP 
is the set of the system’s atomic propositions). Then, S induces a language C{S) C 27“. 
Similarly, we can view a property ijj of the system as a language £(V’) G 27“ of all 
the computations that satisfy tp. Verification that S satisfies tp can fhen be reduced fo 
checking that C{S) C £('(/') HKur94:VW94H . 

Of special interest are properties asserting that the system always stays within some 
allowed region in which nothing “bad” happens. For example, we may want to assert 
that every message received was previously sent. Such properties of systems are called 

* Supported in part by BSF grant 9800096. 

** Supported in part by NSF grants CCR-9700061, CCR-9988322, IIS-9908435, IIS-9978135, 
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safety properties. Intuitively, a property is a safety property if every violation of ip 
occurs after a finite execution of the system. In our example, if in a computation of the 
system a message is received without previously being sent, this occurs after some finite 
execution of the system HKin941 . 

Model checking of general properties considers infinite computations. Indeed, C{S) 
and are languages in and checking whether C{S) C C{'tp) involves a search 
for bad cycles I1VW941 . A symbolic implementation of such a search may be very ex- 
pensive IIHKSV971BGS00I . On the other hand, model checking of safety properties 
involves a search for finite bad prefixes. Therefore, such a search considered only fi- 
nite computations and is much simpler than general model-checking search [KV991 . 
The simplicity of the search for finite bad prefixes has motivated the development of 
bounded model checking methodologies, which consider computations of a bounded 
length. For example, in SAT-based model checking, we generate a propositional for- 
mula ipk, for a fixed k > 0, such that pk is satisfiab le iff the property is violated by 
a prefix of length k of some computation llRr,C~*~99lRCR7.991 . In symbolic trajectory 
evaluation (STE), we try to falsify the correctness of a computation by referring only to 
a bounded prefix of it. The method is sound but not complete: we may terminate with no 
answer to the model-checking problem ISB9.51 . While it is possible to extend both SAT- 
based model checking and STE to handle w-regular propertied the key idea of bounded 
model-checking methodologies is to reason about prefixes of a bounded length. 

Recall that if a safety property is violated, then there is a finite prefix along which 
the violation has occurred. While we know that such a bad prefix exists, we cannot in 
general bound its length a-priori. Moreover, it may be that no such bound exists. Eor 
example, no bound exists for the safety property Gp {p is always true). Indeed, for every 
k > 0, the prefix can be extended to a computation that satisfies Gp and can also be 
extended to a computation that does not satisfy Gp. We say that a property ip is bounded 
if there is fc > 0 such that for every computation tt, the satisfaction of in tt can be 
determined by observing only the prefix of length k of tt. It is clear that all bounded 
properties are also safety properties, but, as Gp demonstrates, safety is not a sufficient 
condition to boundedness. 

The recent developments in bounded model checking have led to growing interest 
in bounded properties and their power. Motivated by these developments, we set out to 
characterize the expressive power of bounded properties. The initial goal of this research 
was to lift results about bounded sets in set-theoretic topology to results about bounded 
properties. Several basic topological notions have natural meaning in the context of 
formal languages and have been useful in studying the latter I1HR86I . In particular, 
the study of the Borel hierarchy in set-theoretic topology was helpful to the study of 
the various types of automata on infinite words, whose acceptance conditions can be 
classified in terms of their location in the Borel hierarchy ILan69lTho90L 

Let us first review some of the relevant terminology from set-theoretic topology. 
Consider a set X and a distance function d : A x A — IR between the elements of 
X. Eor an element x € X and 7 > 0, let K{x,y) be the set of elements x' such that 

' In SAT-based model checking, it is possible to reason about cycles of a bounded length 
HBCCZ99I . and in STE it is possible to combine several checks in order to reason about cycles 
HYanOOI . 
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d{x^ x') < 7 . Consider a set 5” C X. An element x S 5 is called an interior element of 
S if there is 7 > 0 such that AT(x, 7 ) C S. The set S is open if all the elements in S 
are interior. A set S is closed if A \ 5" is open. So, a set S is open if every element in S 
has a nonempty “neighborhood” contained in S, and a set S is closed if every element 
not in S has a nonempty neighborhood whose intersection with S is empty. A set that is 
both open and close is called a clopen set. 

A Cantor space consists ofX = D^, for some finite D, and d defined by d{w, w') = 
^ , where n is the first position where w and w' differ. Thus, elements of X can be viewed 
as infinite words over D and two words are close to each other if they have a long common 
prefix. If m = w' , then d{w, w') — 0. It is known that clopen sets in Cantor space are 
bounded, where a set S is bounded if it is of the form W ■ ■ ■ D‘^ for some finite set 
W C D*. Hence, clopen sets in our Cantor space correspond exactly to the bounded 
properties we are looking for: each clopen language L C 27“ has a bound fc > 0 such 
that membership in L can be determined by the prefixes of length k of words in 27“ . 

What are these clopen sets in 27“ ? It turns out that topology has an answer to this 
question as well IMP89 Gum93fl : recall that a language L C 27“ is a safety language!! 
iff every w ^ L has a bad prefix x G 27* such that for all y G 27“ , we have x ■ y ^ L. A 
language L C 27“ is a co-safety language]! iff \ T is a safety language. Equivalently, 
L is co-safety iff every w G L has a good prefix x G 27* such that for all y G 27“ , we 
have X • y G T. It is not hard to see that a language L C 27“ is co-safety iff L is an open 
set in our Cantor space. To see that, consider a word w in a co-safety language L, and let 
X be a good prefix of w. All the words w' with d{w, w') < have x as their prefix, so 
they all belong to L. For the second direction, consider a word w in an open set L, and 
let 7 > 0 be such that K{w, 7 ) C L. The prefix of w of length [log J is a good prefix 
for L. It follows that the clopen sets in 27“ , namely the bounded properties we are after, 
are exactly these properties that are both safety and co-safety! 

While topology immediately solved our initial question about bounded properties 
(c.f., ISta97l i. it has led to many new questions. The properties we are interested in 
are not general subsets of 27“ . Rather, they are w-regular, given by an automaton or a 
temporal-logic formula. Can we make use of this extra structure? For example, can we 
identify a bound for a given clopen property? Can we identify a tight bound? Once we 
found a bound k, can we translate clopen properties to formalisms that refer to the prefix 
of length k only? (We call such formalisms bounded formalisms.) What would be the 
blow-up of such a translation? Also, sometime we want to verify branching temporal 
properties (that is, properties that describe the whole computation tree of a system, and 
not its individual computations) IIFam80IEH861 . Can we extend the results from the 
linear framework to the branching one? 

So, the enhanced goal of this research has become the study of clopen w-regular 
linear and branching properties. We start with the linear framework. We first show that 
for an w-regular clopen language L C 27“ , we can identify a bound. We describe two 
incomparable bounds. The first refers to the deterministic automaton for L and the 

^ The definition of safety we consider here is given in IAS851 . it coincides with the definition of 
limit closure defined in lEme831 . and is different from the definition in ILamSSl . which also 
refers to the property being closed under stuttering. 

^ The term used in IMP92II is guarantee language. 
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second refers to the nondeterministic automata for L and 27“ \ L. Using the hound, we 
translate L to hounded formalisms, specifically, to a cycle-free automaton and to an LTL 
formula whose only temporal operator is X (“next”), and we study the blow up of these 
translations. In particular, we show that the translation of a clopen LTL formula to a 
formula whose only temporal operator is X is tightly exponential (that is, exponential 
in both the upper and lower bound senses). 

We then turn to the branching framework. The definition of safety and co-safety 
properties can be easily extended to the branching framework llBFG~*~91]KV99IMT011 . 
Let t{E,T) be the set of U-labeled trees with directions in T; that is, the trees are 
prefix-closed subsets of T*, and each node of the tree is labeled by a letter from X. 
Intuitively, a language L C r(U, T) is a safety language if every tree not in L has 
a bad prefix (which is a tree of a finite height) all of whose extensions are not in L. 
A clopen tree language is a language that is both safety and co-safety. We show that 
a distinction should be made between trees of finite branching degrees and trees with 
possibly infinite branching degrees. For the first type of trees, we can prove boundedness 
using the same considerations as in the linear framework. On the other hand, for trees with 
infinite branching degrees, it is not true that general clopen tree properties are bounded! 
Nevertheless, when the clopen tree languages are o;-regulai0, it is possible extend the 
results from the linear framework to both types of trees: we are able to identify a bound 
and to translate clopen properties to cycle-free tree automataEl To obtain our result, we 
use symmetric nondeterministic automata as a novel automata-theoretic tool (symmetry 
has been previously applied only to alternating automata). The advantage of working 
with nondeterministic automata is the ability to use pumping arguments. 

The understanding that w-regular clopen tree languages are bounded enables us to 
show that the bottom levels of the ^-calculus expressiveness hierarchy coalesce. The 
li-calculus is an expressive and important specification language in which formulas 
are built from Boolean operators, next-times modalities, and least and greatest fixed- 
point operators IIKoz83ll . /i-calculus formulas are classified according to their alternation 
depth, which is the maximal number of alternations between nested least and greatest 
fixed-point operators. From a practical point of view, the classification is important, as 
the alternation depth is the major factor in the complexity of /x-calculus model checking 
fEL86H . A more refined classification also distinguishes between formulas in which the 
outermost fixed-point operator in the nested chain is a least fixed-point operator {Ei 
formulas, where i is the alternation depth) and formulas where it is a greatest fixed- 
point operator {II i formulas). Modal Logic (ML) consists of /r-calculus formulas with 
no fixed-point operators. The /r-calculus is more expressive than ML, and in fact, it 

A tree language is tu-regular if it can be recognized by a tree automaton. When the language 
contains trees with infinite branching degrees, the automata are amorphous, capable of handling 
infinite branching degrees. Several types of amorphous automata are studies in the literature. In 
particular, in symmetric automata IJW95IWil99all . the transition function describes universal 
and existential requirements on the successors of the current node, it is independent of the 
branching degree, and can handle trees with an infinite branching degree. 

^ We assume that T is known; thus finite branching degrees are bounded by |T| . We could have 
considered also trees with finite but unbounded branching degrees. As we note in the sequel, 
general clopen properties of such trees may not be bounded, yet w-regular properties of such 
trees are bounded. 
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is possible to decide, given a /^-calculus formula, whether it has and equivalent ML 
formula IIOtt991 . Moreover, it was recently proved that the ^-calculus hierarchy is strict 
(i.e., there is no d > 1 such that all /i-calculus formulas can be translated to formulas 
of alternation depth d) HBra981 . For several hierarchies in computer science, even strict 
ones, it is possible to show local coalescence, where membership in some class of the 
hierarchy and in its complementary class implies membership in a lower class. For 
example, the equation REflco-RE^Recursive implies a coalescence at the bottom of 
the arithmetical hierarchy!! It is shown in | IRM78| that if a property describing classes 
of structures can be expressed both as a least fixed-point and a greatest fixed-point of 
a first-order formula, then it is equivalent to a first-order formula with no fixed points. 
Since hrst-order formulas that are preserved under bisimulation are equivalent to ML 
formulas IBB9.3.Ben91L the result in [BM78I implies a coalescence at the bottom of 
the /i-calculus expressiveness hierarchy, namely 27i fl 7Ti = ML. Using the fact that 
/i-calculus formulas of alternation depth 1 induce either safety or co-safety symmetric 
languages, we are able to get a constructive proof to the above coalescence, and to extend 
it to finite structures!! 

Due to lack of space, some of the proofs are missing. The full version of the paper 
can be found at the author’s URLs. 



2 Preliminaries 

2.1 Safety and Co-safety Languages 

Consider a language L C of inhnite words over the alphabet E. A hnite word 
a; G U* is a bad prefix for L if for all y G we have x ■ y ^ L. Thus, a bad prefix 
is a finife word that cannot be extended to an infinite word in L. Note that if a; is a bad 
prefix, then all the hnite extensions of x are also bad prehxes. We say that a bad prehx x 
is minimal if all the strict prehxes of x are not bad. A language L is a safety language iff 
every w ^ L has a hnite bad prehx. Eor a safety language L, we denote by bad_pref{L) 
the set of all bad prehxes for L. 

Eor a language L C E^, we use comp{L) to denote the complement of L; i.e., 
comp{L) = E'^ \ L. We say that a language L C E‘^ is a co-safety language iff 
comp{L) is a safety language. Equivalently, L is co-safety iff every w G L has a good 
prefix X G E* such that for all y G we have x ■ y G L. Eor a co-safety language L, 
we denote by good-pref{L) the set of good prehxes for L. Note that good _pref {L) = 
bad _pref {comp (L)). 

Eor a set T of directions, an T -tree is a nonempty set T C T* , where for every 
X ■ V G T with X gT* and v G T, we have x G T. The elements of T are called nodes, 
and the empty word e is the root of T. Eor every x G T, the nodes x-v G T where v G T 
are the children of x. A node with no children is a leaf . The degree of a node x, denoted 
deg{x), is the number of children x has. Note that deg{x) < |T|. We assume that T is 

® On the other hand, the analogous coalescence for the polynomial hierarchy is not known. It is 
a major open question whether NPnco-NP=PTIME IGJ79I 
^ The result in 0BM781 appeals to the Compactness Theorem, so it is not constructive and does 
not carry over to finite structures. 
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finite or T = N, in which case we may have nodes with an infinite degree. The height 
of a tree T is the length (possibly oo) of the longest node in T. Note that when T = IN, 
there may be infinite trees with a finite height. A tree is leafless iff it has no leaves. Note 
that a tree may be infinite and still have leaves. A path tt of a tree T is a set tt C T such 
that s G TT and for every x G tt, either x is a leaf, or there exists a unique v G T such 
that x-vGtt. For an integer d, a d-T -cone is an T -tree all of whose paths are finite and 
have leaves in An T -cone is a d-T -cone for some d. For a tree T with a finite height, 
an extension of T is a tree T' such that T C T' and every node z G T' \T has a leaf x 
of T for which z = x ■ y for some y G T+ . 

Given a finite set S, a S -labeled T -tree is a pair (T, V) where T is an T-tree and 
V : T ^ E maps each node of T to a letter in E. We use t{E, T) to denote the set of 
all A'-labeled leafless T-trees. For a language L C t{E, T), we use comp{L) to denote 
the complement of L; i.e., comp{L) = t{E, T) \ L. 

Consider an Y -tree T C T* . A prefix of T is a nonempty prefix-closed subset of T 
with a finite height. A prefix of a tree {T, V) G r(E, T) is a A'-labeled T-tree {P, V), 
where P is a prefix of T. An extension of {P, V) is a tree {T' , V') G t{E, Y) such that 
T' is an extension of P, and V and V' agree on the labels of the nodes in P. We say 
that a language L G r(Er) is a safety language if every tree (T, V) ^ L has a prefix 
(P, V) all whose extensions are not in L. The prefix (P, V) is then a bad preflx for L. 
Dually, L G t(E, Y) is co-safety if every tree (T, V) in L has a prefix {P, V) all whose 
extensions are in L. The prefix (P, V) is then a good prefix for L. Note that, as in the 
linear case, L C t{E, Y) is co-safety iff comp{L) is safety. A cone prefix is a prefix 
which is a cone. Since prefixes have a finite height, it is easy to see that each bad prefix 
induces a bad cone prefix, and similarly for good prefixes. 

In both the linear and the branching frameworks, we say that a language is clopen if 
it is both safety and co-safety (or, equivalently, if both L and comp{L) are safety.) Note 
that the set of clopen languages is closed under complementation. For a temporal logic 
formula tp, we say that tp is a safety formula iff the set of words/trees that satisfy f is a 
safety language. Similarly, xp is a co-safety formula iff this set is a co-safety language, 
or, equivalently, is a safety formula. For an LTL formula ip over a set AP of atomic 
propositions, let llf/jll denote the set of computations in (2'^^)“ that satisfy ip. Similarly, 
for a CTL* formula over AP, and a set Y of directions, let HV'llr denote the set of 
computation trees in t(( 2'^^), T) that satisfy ip. We say that ip is a safety formula iff 
II Hr is a safety language for all Y. Also, ip is a co-safety formula iff ||'!/)||r is a co-safety 
language for all Y or, equivalently, ~^ip is a safety formula. 



2.2 Automata 

Let 27 be a finite alphabet. For a word w = ■ a\ - ■ ■ over E and integers i and j, we 

use w[i, . . . ,j] to denote the infix (possibly prefix of suffix) • • • aj of w. A looping 
word automaton is .4 = (27, Q, S, Qo), where 27 is the input alphabet, Q is a finite set 
of states, 6 : Q X E ^ 2^ is a transition function, and Qo Q is a set of initial states. 
The set Q contains a state pacc designated as an accepting sink. If | Qo | = 1 and 6 is such 
that for every q G Q and ct G 27, we have that |5(g, a)\ < 1, then .4 is a deterministic 
automaton. 




30 



O. Kupferman and M.Y. Vardi 



Given an input word w = ao ■ ■ ■ ■ in a run of ^ on cr is a function r : N — Q 

where r(0) G Qo and for every i > 0, either r{i) = qacc or r{i + 1) G <5(r(i), cji); i.e., 
the run starts in one of the initial states and obeys the transition function. Once the run 
reaches the accepting sink, its continuation is not important. Note that a nondeterministic 
automaton can have many runs on a. In contrast, a deterministic automaton has a single 
run on tr. An automaton A accepts an input word w iff there exists a run of A on w. 

Amorphous tree automata run on i7-laheled T-trees. A looping tree automaton is 
A = {S, T,Q,6, <5o)> where E, Q, and Qq, areas inBiichi word automata (in particular, 
Q contains an accepting sink qocc), and 5 \ Qx S x {1, . . . , |T|} — )> 2*^ is a (nondeter- 
ministic) transition function, with 5{q, a, k) C Q^. When T is infinite and A: = IN, the 
tuples in are represented in some succinct way. We will return to this point shortly. 
Intuitively, in each of its transitions, A splits into several copies. Each copy proceeds to a 
suhtreeof the current node. A A:-tuple {qi,q 2 , . . . ,qk) G S(q,a, k) means that if ^ is now 
in state q and it reads a node of degree k labeled by tr, then a possible transition is one in 
which the copy that proceeds to direction leftmost subtree moves to state qi , the copy that 
proceeds to the subtree near the leftmost one moves to state state qi, and so on. A run of 
A on an input 17-labeled T-tree {T, V) is a Q-labeled T tree (T, r) such that r(e) G Qo 
and for every x GT with successors x-vi,x-V 2 , ■ ■ ■ ,x- Vdeg(x) in T, either r{x) = qacc 
or {r{x ■ vi),r{x ■ V 2 ), ■ ■ ■ , r(x ■ Vdeg(x)}} € 6(r(x),V(x), deg(x)). If, for instance, 
T = {0, 1}, r(0) = 92 , 1^(0) = a, deg(x) = 2, and S(q 2 , a,2) = {( 91 , 92 ), ( 94 , 95 )}, 
then either r(0 • 0) = 91 and r(0 • 1) = 92 , or r(0 • 0) = 94 and r(0 • 1) = 95 . An 
automaton A accepts (T, V) iff there exists an run of A on (T, V). 

Recall that amorphous automata are capable of reading trees with infinite branching 
degrees. For that, the tuples in the transition function are described in some succinct 
way. To handle trees with arbitrary branching degree, we introduce here symmetric 
nondeterministic looping automata, which are the nondeterministic counterpart of sym- 
metric alternating looping automata IJW95IWil99all . In a symmetric looping automaton 
A = {E, Q, 6, Qo), the state space is Q = 2^ for some set S of underlying states, and 
the transition function S : Q x E ^ 2^^'^ maps a state and a letter to sets of pairs 
{Su,Se) of subsets of S. The set 5c/ C S' is the universal set and it describes the 
underlying states that should be members in all the successor states. The set Se C S is 
the existential set and it describes underlying states each of which has to be a member in 
at least one successor state. Formally, the tuples induced by 5{q, a) are (Si , . . . , Sk) for 
an arbitrary k (possibly k = u>), such that there is {Se, Se) in 5{q, a) such that for all 
1 < i < kwe have Su ^ Si and for all s G Se there isl < i < k such that s G Si. Runs 
of symmetric automata are then defined as runs of usual nondeterministic automata, by 
means of the tuples induced by the transition function. A language is symmetric if there 
is a nondeterministic symmetric automaton recognizing i@. 

We now define a bounded form of automata. These are automata that essentially read 
only a bounded prefix of their input. A word automaton ^ is a cycle-free automaton if 
it contains no cycles. Formally, A is cycle free if for all runs r of A and two positions 
fj > 0, either r{i) ^ r{j) or r{i) = qacc- When is a tree automaton, it is cycle free 
if for all runs {T, r) of A and two nodes x,y G T such that x is a prefix of y, we have 



* Readers familiar with alternating automata can see that symmetric nondeterministic looping 
automata are essentially symmetric alternating looping automata with transitions in DNF. 
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r{x) ^ r{y) orr{x) = Qacc- The diameter of a deterministic cycle-free word automaton 
A, denoted diameter {A), is the length of the longest path from the initial state of A to 
the accepting sink of A. 

The language C{A) is the set of words/trees accepted hy A. We say that an automa- 
ton ^ is a clopen automaton if C{A) is clopen. As shown in IIAS87lBFG~*~91ISis941 
IKV99II . looping automata recognize safety languages. Moreover, if a safety language L 
is recognized by an automaton A with an acceptance condition such as Biichi, Rabin, 
etc., then L is also recognized by the looping automaton obtained by ignoring the accep- 
tance condition. It follows that every safety w-regular word language can be recognized 
by a looping automaton. Note that looping word automata can be determinized by an 
application of the standard subset construction IRS59I . thus a safety w-regular word 
language can be recognized by a deterministic looping word automaton. 

3 Clopen Properties: The Linear Framework 

In this section we study linear clopen properties. We first give a direct proof, independent 
of set-theoretic topology, that linear clopen properties are bounded. We then consider 
w-regular clopen properties, obtain two bounds for them, and consider their translation 
to bounded formalisms. 

Consider a clopen language L C For a finite word x G 17*, we say that x is 
determined with respect to L if x is a bad or a good prefix for L. Accordingly, x is 
undetermined with respect to L if there are y G 17“ and z G 17“ such that x-y G L and 
X ■ z ^ L. 

Lemma 1. IfL C 17“ is clopen, then every word w G 17“ has only finitely many prefixes 
that are undetermined with respect to L. 

We say that a clopen language L is bounded if there are only finitely many words in 
17* that are undetermined with respect to L. For an integer k, we say that L is bounded 
by k if all the words x G E* such that |x| > A: are determined with respect to L. Note 
that each bounded language L has an integer k such that L is bounded by k. 

Theorem 1. ISta97ll All clopen languages L C 17“ are bounded. 

Proof: Assume by way of contradiction that there is a clopen language L C 17“ that 
is not bounded. Thus, there are infinitely many x G E* such that x is undetermined 
with respect to L. Since E is finite and the set of undetermined words is prefix closed, 
it follows, by Kdnig’s Lemma, that there is an infinite word in 17“ all of whose prefixes 
are undetermined. This, however, contradicts Lemma|T] □ 

As discussed in Section [T] the clopen requirement is essential. Indeed, the language 
induced by the safety property Gp is not bounded, and so is the language induced by the 
co-safety property F-'p. 

Theorem[T] applies to languages L that are not necessarily w-regular. We now show 
that when L is w-regular, it is possible to obtain a bound for L. We first present a bound 
that refer to this deterministic automaton, and then use some observations about automata 
to present a bound that refer to the nondeterministic automata for L and comp{L). 
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For a clopen w-regular language L, let det{L) be the size of the minimal deterministic 
looping automaton that recognizes L. Note that deterministic looping automata can be 
minimized in a way that is analogous to way deterministic automata on finite words are 
minimized. Furthermore, there is unique minimal deterministic automaton for L. 

Lemma 2. All minimal deterministic looping automata that recognize a clopen lan- 
guage are cycle free. 

So, the minimal deterministic looping automaton that recognizes a clopen language 
L is cycle free. Thus, we can talk about diameters of clopen w-regular languages and 
dehne diameter{L) as the diameter of the minimal automaton for L. 

Lemma 3. A clopen uj-regular language L C 27“ is bounded by diameter{L). 

It follows that a clopen w-regular language L C 27“ is bounded by diameter{L) 
and can be recognized by a cycle-free automaton with det{L) states. The weakness of 
these immediate hounds is that they refer to a deterministic automaton for L, which may 
be exponentially bigger than a nondeterministic automaton for it. We now show it is 
possible to obtain a bound of a clopen w-regular language that refers to nondeterministic 
automata for L and comp{L). 

For safety language L, the in index of L, denoted inJndex{L) , is the minimal number 
of states that a nondeterministic looping automaton recognizing L has. Similarly, the out 
index of a co-safety language L, denoted out-index{L), is the minimal number of states 
that a nondeterministic looping automaton recognizing comp{L) has. If L is clopen, we 
also refer to the index of L, denoted index {L), which is the product of the in and out 
indices of L. 

Lemma 4. A clopen uj-regular language L C 27“ is bounded by index{L). 



Theorem 2. If an tu-regular language L C 27“ is clopen, then there is a cycle-free 
nondeterministic word automaton of size inAndex{L) ■ index{L) that recognizes L. 

Since LTL formulas can be translated to nondeterministic Biichi word automata with 
an exponential blow up fVW941 . it follows from Theorem[2|that clopen LTL formulas 
can be translated to nondeterministic cycle-free automata with an exponential blow up. 
LTL formulas can also be translated to alternating Biichi word automata, with only a 
linear blow up rVar961 . Can clopen LTL formulas then be translated to alternating cycle- 
free automata with a linear blow up? In Theorem |3]below we answer this question to the 
negative. The idea is that a cycle-free automaton, even an alternating one, needs to visit 
k different states in order to read the fc-th letter of the input. 

Theorem 3. The translation of clopen LTL formulas or clopen alternating word au- 
tomata to to nondeterministic or alternating cycle-free word automata is tightly expo- 
nential. 

The translation of LTL formulas or alternating word automata to nondeterministic 
word automata involves an exponential blow up 1MH84IVW94II . Hence, the cost of 
cycle-freeness is reflected only in the exponent, which can be three times larger in the 
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cycle-free case. We note that, as with the translation of LTL formulas to nondeterministic 
automata, the exponential blow up refers to the worst case, and it does rarely appear in 
practice. 

It is shown in HKV99II that the hlow-up going from a co- safety LTL formula to 
a nondeterministic word automaton recognizing its good prefixes involves a doubly 
exponential blow up. Thus, for every n, there is a co-safety formula of size 0{n) such 
that the minimal automaton for good -pref {%l>) has 2^ states. The proof in IKV99fl 
can be extended to ijj that is clopen. Hence, while we are able to translate a clopen LTL 
formula to a cycle-free automaton with an exponential blow up, we cannot expect an 
exponential translation of clopen LTL formulas to a cycle-free automaton for its good 
prefixes. 

Bounded LTL is a fragment of the linear temporal logic LTL in which the only 
temporal operator is X (“next”). Since nondeterministic cycle-free word automata can 
be linearly translated to bounded LTL IWil99bll . it follows that clopen LTL formulas can 
be exponential translated to bounded LTL. 

4 Clopen Properties: The Branching Framework 

In this section we study clopen branching properties. We first restrict attention to the 
case T is finite. We show that in this case, we can prove boundedness using the same 
considerations as in the linear framework. On the other hand, when T is infinite and the 
trees may have infinite branching degrees, it is not true that general clopen tree properties 
are bounded. We then show that for clopen w-regular tree languages, it is possible extend 
the results from the linear framework to both types of trees: we are able to identify a 
bound and to translate clopen properties to cycle-free tree automata. 

Consider a clopen language L C t{S, T). ForaZ'-labeledT-tree (P, V) with a finite 
height, we say that (P, V) is determined with respect to L if it is a bad or a good prefix 
for L. Accordingly, (P, V) is undetermined with respect to L if there are extensions 
(Ti, Vi) and (Tz, V 2 ) of (P, V) such that (Pi, Vi) e L and (T 2 , V 2 ) ^ L. We say that a 
clopen language L S T) is bounded if there are only finitely many integers d > 0 
for which there is a P-labeled d-P-cone that is undetermined with respect to L. For an 
integer k, we say that L is bounded by k if all the P-labeled d-T -cones, with d> k, are 
determined with respect to L. 

Lemma 5. If L C t(P, T) is clopen, then every tree in t(E, T) has only finitely many 
cone prefixes that are undetermined with respect to L. 

When T is finite, Konig’s Lemma can be applied, as in Section|2] in order to prove 
that clopen tree languages are bounded. 

Theorem 4. Let T be a finite set of directions. All clopen languages L C r(P, T) are 
bounded. 

We now turn to consider N-trees. Recall that N-trees may have nodes with an infinite 
degree. While Lemma|5]does not depend on T being finite, the finiteness of T is crucial 
for the application of Konig’s Lemma in the proof of Theorem|4] In fact, as we prove in 
Theorem [ 5 ] below, it is not true that all clopen languages in IN) are bounded. 
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Theorem 5. There is a clopen language in IN) that is not bounded. 

Proof: Consider the language L C r({0, 1}, IN), where (T, C) S L iff either deg (e) = 
oo, or there is a node x with |x| < deg{e) and V (x) = 1. Thus, L contains exactly all 
{0, l}-labeled IN-trees in which, if the root has a finite degree k, then a node labeled 
1 is reachable within k steps. It is not hard to see that L is clopen: if (T, V) ^ L, its 
deg(e)-N-cone prefix is a bad prefix. Also, if (T, V) G L, either its 1-N-cone prefix or 
its deg(e)-N-cone prefix is a good prefix. Now, for every a candidate bound k for L, 
the tree (T, V) with deg{e) = k + 1 and Vj^x) = 0 for all a: G T has an undetermined 
fc-lN-cone prefix. Hence, L is not boundedO □ 

The language L examined in Theorem [5] is quite unnatural. In practice, we are 
concerned with w-regular languages. In Section|2]we show that in the linear framework, 
w-regularity enables us to identify a bound for the clopen language. We now show that 
in the branching framework w-regularity enables us not only to identify a bound but also 
to handle N-trees, where the branching degree is infinite or finite but unbounded. We 
first need some notations. 

A frontier of an T-tree T is a set i? C T of nodes such that for every path tt C T, 
we have [tt fl i?| = 1. For a node x and a frontier E, we say that a; < E' if a; is a prefix 
of some node in E. A roof of a frontier E is a set E' such that every node in E has a 
strict prefix in E' . For a E-labeled T-tree (T, V), a frontier E of E and a roof E' of E, 
the tree ) is obtained from (T, V) by pumping the difference between 

E' and E infinitely often. Note that a node x G E may have several prefixes in E'. 
Let up{x) be the longest prefix of x in E'. When we pump the difference between E' 
and X, we refer to up{x). Formally, for x G E, we define pump{x, E) as the set of all 
words yo ■ yi ■ ■ ■ Un G T* , with n > 1, such that go = 2 :, for all 0 < i < n — 1 we 
have up(yi) ■ yi+i G E, and up{yn-i) ■ yn ^ E. Note that since E is a frontier, every 
word 2 : G T* is a member of pump{x, E) for at most one a: G E, in which case it has 
a single partition to go • 2/i ■ • • J/n as above. Accordingly, for z G pump{x, E), we can 
define tail{z) as up{x) ■ yn- Now, 

rpE<^E _ { 2 ; : 0 is a prefix of a:} UpMmp(a;, E), 

x^E 



and 



V^^^'iz) 



V(z) if z<E, 

V (tail{z)) if 2 G pump{x, E) for x G E. 



For simplicity, we denote (t^^e' ^yE^E’'^ y^E<-E' _ 

When the clopen language L is w-regular, we can talk about the size of the nondeter- 
ministic automaton that accepts L 0- We say that L is strongly w-regular if both L and 

® Note that L is bounded by the size of the set T of directions (in the theorem, L is defined with 
respect to T-trees with T = IN, thus |T| is infinite and L is unbounded). So, when defined 
with respect to T-trees with a finite T, the language L is bounded. Also, note that it is the 
unboundedness of T, rather than its infiniteness, that makes L unbounded. 

It is possible to extend also the bound based on the diameter of L to the branching framework. 
The extension, however, is very technical and not very enlightening. 
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comp{L) are w-regular. When T is finite, all w-regular languages are strongly w-regular. 
Since amorphous automata are not closed under complementation, not all w-regular lan- 
guages in t{S, in) are strongly w-regular. In order to talk about the in and out indices 
of a clopen tree language, we restrict attention to strongly cu-regular languages. It can 
be shown that the set of symmetric looping nondeterministic automata that recognize 
clopen languages is closed under complementation, thus, in particular, our results apply 
to symmetric clopen languages. 

Lemma 6. A strongly u> -regular clopen language L C t{S,T) is bounded by index {L). 

Proof: Assume by way of contradiction that there is a d-T -cone (P, V) such that d > 
index{L) and (P, V) is undetermined. Thus, there are extensions (Ti, Vi) and (P2, V2) 
of (P, V) such that (Ti, Vi) S L and (T2, 1^2) ^ L. Let A\ and A2 be nondeterministic 
looping automata such that £(.4i) = L, C{A2) = comp{L), and Ai and A2 have 
inJndex{L) and outJndex(L) states, respectively. By the above, there are accepting 
runs (Ti, ri) and (T2, r2) of Ai and A2 on (Pi, Vi) and (T2, V2), respectively. Both Pi 
and P2 have P as their d-P-cone prefix. Since d > inJndex{L) ■ outJndex{L), every 

pathTT C P has two nodes cci and a;2 suchthata:i isastrictprefixofa;2Pi(a^i) = fi{x2), 

and r2(a;i) = r2{x2)- Thus, both runs repeat their state at xi and X2- The set of nodes 
X2 as above is a frontier E and the set of nodes xi as above is a roof P' of E. Consider 
the tree (P, . The accepting run of Ai on (Pi, Vi) induces an accepting run 

of Ai on (P, . Formally, the tree (P, is an accepting run of Ai on 

(P, 1/)^'*“^ . Similarly, the accepting run of ,A2 on (P2, V2) induces an accepting run 
of A2 on (P, Y'jE<-e' ^ follows that (P, accepted by both A\ and ,A2, 

contradicting the fact that £(,A2) = comp{C{Ai)). □ 



Theorem 6. If a strongly uj-regular language L C t(E,T) is clopen, then there is a 
cycle-free nondeterministic tree automaton of size inJndex{L) ■ index{L) that recog- 
nizes L. If L is symmetric, so is the cycle -free automaton. 

The proof of Theorem|3|can be adapted to the branching case, where the specification 
language is CTL. The upper bound follows from the exponential translation of CTL to 
Biichi tree automata rVW86l . For the lower bound, the same example as the linear case 
works (with the specification being universally quantified). Hence we have the following. 

Theorem 7. The translation of clopen CTL formulas and clopen alternating tree au- 
tomata to nondeterministic or alternating cycle-free tree automata is tightly exponential. 



5 Clopen Calculus Specifications 

The propositional p.-calculus is a propositional modal logic augmented with least and 
greatest fixed-point operators IKoz831 . Specifically, we consider a /i-calculus where for- 
mulas are constructed from Boolean propositions with Boolean connectives, the temporal 
operators EX (“exists next”) and AX (“for all next”), as well as least (/i) and greatest {v) 
fixed-point operators. We assume that /i-calculus formulas are written in positive normal 
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form (negation only applied to atomic propositions constants and variables). We classify 
formulas according to the nesting of fixed-point operators in them. Several versions to 
such a classification can be found in the literature |EL86|Niw86IBra98l . Intuitively, the 
class Ei contains all Boolean and modal combinations of formulas in which there are at 
most i — 1 alternations of /r and ly, with the external hxed-point being a /i. Similarly, the 
class Ui contains all Boolean and modal combinations of formulas in which there are at 
most i alternations of /i and v, with the external fixed-point being a v. Modal logic (ML) 
is a branching temporal logic in which the only temporal operators are EX and AX. 
Note that ML coincides with Eq and Uq. The problem of deciding whether a ^-calculus 
formula has an equivalent ML formula can be decided in exponential time ||( )tWb|| . 

We now relate the bottom of the /i-calculus hierarchy to safety and co-safety lan- 
guages. 

Lemma 7. All Ui formulas induce symmetric safety languages, and all Ei formulas 
induce symmetric co-safety languages. 

In particular, since Ei formulas induce w-regular languages, whatever we say in this 
section about /x-calculus, is valid for trees with arbitrary branching degree. 

Lemma 8. A nondeterministic symmetric cycle-free automaton can be translated to an 
ML formula with a linear blow up. 

Lemmas |7] and [S| together imply that the levels at the bottom of the /r-calculus 
expressiveness hierarchy coalesce. 

Theorem 8. If ip G Ei n IIi, then ip € ML. The translation of Ei fl ili to ML is 
tightly exponential. 

It can be shown that the pumping argument used in the proof of Lemma [6] can yield 
finitely-generated trees, which are trees that are generated by unfolding hnite graphs. 
This can be used to show that Theorem [8] holds even if we restrict attention to finite 
structures. It is an interesting open question whether Theorem[8]can be generalized to a 
characterization of EiD IIi, for i > 1. 



Acknowledgment. We thank Vaughan Pratt for very helpful explanations about clopen 
sets in Cantor spaces. 
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Abstract. We present new algorithms to translate linear time temporal logic (LTL) 
formulas with past operators to equivalent cu-automata. The resulting automata are 
given in a symbolic representation that directly supports symbolic model checking. 
Furthermore, this has the advantage that the translations run in linear time wrt. the 
length of the input formula. To increase the efficiency of the model checking, our 
translations avoid as far as possible the introduction of computationally expensive 
fairness constraints, or at least replace them by simpler reachability constraints. 
Using the well-known automaton hierarchy, we show that our improvements are 
complete. Finally, we show how large parts of the formulas can be translated to 
the simpler logic CTL, which accelerates the LTL model checking by orders of 
magnitude which is shown by experimental results. 



1 Introduction 



The reactive behavior of concurrent systems can be conveniently specified with temporal 
logics JTOl like CTL (a, LTL m, and CTL* iUl . These logics have a different expres- 
siveness and also very different verification procedures: CTL* model checking can be 
easily reduced to LTL model checking (T3, LTL model checking in turn is reduced to 
nonemptiness problems of w-automata, and CTL model checking is reduced to model 
checking of the alternation-free /r-calculus. While symbolic CTL model checking is 
very efficient |0], some authors complain about the hard restrictions of CTL 1 171261 . 
and therefore tend to use the more comfortable logics LTL and CTL* P?|- All modern 
model checking tools therefore support LTL. 

Verification procedures for LTL seem, however, not to be as powerful as those for 
CTL E03- Usually, the given LTL formulas are translated to equivalent w-automata 
whose emptiness is then to be checked. Similar to the verification procedures, there are 
two different approaches to these translations: procedures that construct the automata 
explicitly like 1 191.341231 15i9L3 111 'jLI8ll41 . and others that derive a symbolic description 
of the automata like II316I18129I81 . The latter have the advantage that they run with linear 
runtime and memory requirements wrt. the length of the formulas. Moreover, they can 
be directly used for symbolic model checking. 

All of the mentioned translation procedures construct special w-automata, usually 
generalized Biichi automata (a special form of Street! automata J32]). The acceptance 
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of these automata is defined by a set of sets of states {Qi, . . . , Qn}' an infinite input 
sequence is accepted by such an automaton iff there is a run through the state transition 
system that visits each Qi infinitely often. In the following, the Qi’s are called fairness 
constraints (as usual in CTL model checking). It is well-known that the verification of 
such fairness constraints requires a nested fixpoint iteration which makes them hard to 
veri f5Q, especially in symbolic model checking Ean 

In this paper, we reconsider the translation procedures as given in I3I61 181291 . and 
show that these procedures can be significantly improved. The problem with these pro- 
cedures is that each temporal future operator (except for the next-time operator) of the 
considered LTL formula induces a fairness constraint during the translation. It is well- 
known that the translation of arbitrary temporal formulas is not possible without fairness 
constraints. Nevertheless, there are a lot of specifications, including all safety and live- 
ness properties m, that can be translated to simpler classes of w-automata (whose 
acceptance condition does not require fairness constraints). Consequently, some of the 
fairness constraints introduced by the procedures 1.3161 1 81291 are unnecessary, and others 
(still used by |[8]|) can be replaced with simpler constraints. 

We therefore present two powerful improvements of the symbolic translation proce- 
dures that still retain the linear runtime of the translation. The first improvement is based 
on exploiting the monotonicity of logical operators and therefore allows one to neglect 
the introduction of those fairness constraints that stem from positive/negative occur- 
rences of weak/strong temporal operators. This is already used in [|8l and in most of the 
explicit translation procedures, but not in I3I6I18I291 . The second improvement allows 
one to replace some of the remaining fairness constraints by simpler reachability con- 
straints. This improvement can be used as long as only strong temporal future operators 
are nested into each other, followed by only nestings of weak temporal future operators. 
To the best of our knowledge such an improvement has not been used so far. Based on 
these improvements, we dehne new subclasses of LTL that can be translated without 
fairness constraints at all, i.e., either without any constraints, or with only reachability 
constraints. 

Beneath the translations of subclasses of LTL to corresponding automaton classes, 
we also consider a combination with the methods presented in [261271 . These procedures 
allows one to translate large parts of the LTL formulas to CTL, thus bridging the gap 
between LTL and CTL. We have implemented all translation procedures in a front-end 
for the SMV model checker family 121 122141 . which yields a new verification tool for 
LTL specifications that outperforms the direct use of these tools. The tool has been 
completely written in Java, so that it is platform-independent and can be freely accessed 
under http : //goethe . ira. uka. de/^schneider /my .tools. 

The paper is organized as follows: In the next section, we dehne the syntax and the 
semantics of the temporal logic that is used in the paper. After this, we dehne our new 
temporal logics in correspondence to the well-known automaton hierarchy. In section 4, 
we review the translation procedures of II316I29I . In section 5, we present our improve- 
ments and hence, the hrst variant of our new translation procedures. We then combine all 



' The best known algorithm (a for checking a /i-calculus formula ^ in a finite state system 
with |5| states and |77| transitions is of order 0((|5| |77| |«?|), where ad(<5) is the 

alternation depth of <P. Fairness constraints increase the alternation depth to ad(<f) = 2. 




Improving Automata Generation for Linear Temporal Logic 



41 



our improvements in section 6. We also show there how parts of the LTL formulas can 
be directly translated to CTL to further increase the efficiency. Experimental results that 
prove the power of our improvements are hnally given in section 7. Due to lack of space, 
we do not list proofs; however, we note that most parts of the translation procedures 
have been checked with the HOL ||T6l proof assistant, and a more detailed description 
of the algorithms together with proofs can be found in | [28l . 

Some recent work can be combined with the translations presented here: na and 
fTT| list different sets of rewrite rules to simplify LTL formulas before translating them 
to automata. Moreover, m presents symbolic procedures for checking nonemptiness of 
weak and terminal Bilchi-automata (which are called N Detpc and N Detp below), which 
yields a perfect back-end for our translations. 

2 Syntax and Semantics of 

We first define an extended temporal logic (as did many authors like |[J7l before) to 
present our translations in a single formalism. 

Definition 1 (Syntax of £^). The following mutually recursive definitions introduce the 
set of formulas over a given finite set of variables V : 

- each variable is a formula, i.e., V C 

- Xip, Xip, [ip U Ip], [ip^ip]G C^, if if, Ip € 

- Given a finite set of variables Q with Q C\V = {}, a propositional formula <Tx over 

Q UV, a propositional formula 'Pn over Q UV U {Xd \ v € Q U V}, and a 
formula <Pjr over QUV, then {Q, o formula. 

The above logic is based on the usual temporal future time operators X and [•!) ■]> and 
their corresponding past time operators ^ and ^ . Moreover, it uses w-automata as 
temporal operators to receive the full power of w-regular languages. Note, that arbitrary 
formulas are allowed as acceptance conditions in the automata expressions, which 
might be unusual, but simplifies the following explanations. 

The semantics is given wrt. Kripke structures /C = (I, S, TZ, £, iF): 5 is a finite set 
of states, 72. C 5 X 5 is the transition relation, and £ : 5 2^ is a labeling function 

that maps a state s G S to the set of variables £(s) C V that hold on s. I C 5 is 
the set of initial states, and T = {Fi, . . . , Ff} is a finite set of sets of states F) that 
are called fairness constraints. A path through /C is a function tt : S such that 

Vi.(7r(‘\ € 72 holds. A path tt is fair iff tt visits every Fi G F infinitely often. 

is an (existential) automaton formula that describes an uj- 
automaton in a symbolic manner: Q is the set of state variables, so the set of states 
corresponds with the powerset of Q. We identify any set r? C Q U V U {Xr; | S Q U V} 
with a propositional interpretation that exactly assigns the variables of d to true. With 
this view, the formula T>x describes the set of the initial conditions: These are the 
sets r7 C Q U V that satisfy T>x- Similarly, (Pxi describes the set of transitions. Intu- 
itively, an existential automaton formula 21 holds on a path tt iff there is an accept- 
ing run for the trace £(7r^°)), £( 71 ^^)), ..., through 21. To define this formally, we 

^ For variables v, we often treat Xv as a normal variable for propositional evaluations. 
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define the Kripke structure ]C% = (I 21 : TJ-a, >Ca, {}) for an automaton formula 

a = A 3 {Q,^x,^n,^:F) with := := {^ C Q U V \ ^ ^ <Px}, 

Tl% ■■= {(t?o,t?i) C (QUV) X (QUV) I t?oU{Xu I V e 1 = <^7^}, and£a(s) := s- 
Note that /Ca is independent of the acceptance condition the effect of (l>jr is con- 
sidered in the dehnition of the semantics below: 

Definition 2 (Semantics of C^). Given a structure /C = [I, S, TZ, C, T\ a fair path tt 
through K,, and a number t G , the semantics of formulas is recursively defined as 
follows: 

- (/C, n,t) \= X iff X € jC(7T^*^)for each variable x 

- (/C, 7T, f) ^ iff not (/C, TT,t) \= p 

- (Xi, 7T, f) fj iff {1C, TT,t) or {1C, Tt,f) ^ r/) 

- {IC,Tr,t) \=)^iff{lC,TT,t + l) \=(p 

- {1C, Tt,f) ^ A ifft = 0 or t > 0 and {1C, tt, f — 1) \= p 

- {1C, TT, t) 1= [(/3 IJ f}] iff there is a S > t such that {1C, tt,S) ^ V” tindfor all x with 

t < X < 5, we have {1C, tt,x) \= p 

- {IC,TT,t) h [‘P S f)] iff there is a 6 < t such that {1C, tt,5) \= ft and for all x with 
S < X < t, we have {1C, tt,x) \= 

- Given a = {Q,'^x,'1’ti^‘^A) with Kripke structure IC<a — (la, TZ%, L%, 

{}), we define {1C, tt, f) |= a iff there is fair path ^ througlQK, x /Ca such that (1) 
Va;.fst(^("=)) = (2j snd(^(°)) e la, and (3) {K. x /Ca,^,0) h holdsU 

ip is generally valid if (/C, tt, f) |= ip holds on every path of every structure 1C for any 
position t. ip is initially valid if {1C, tt, 0) \= p holds on every path of every structure 1C. 

Except for the automaton formulas, the above definition is done in the standard way and 
can be found in many related papers. Note that snd(^i°i) must be an initial state of /Ca, 
but fst(^i°i) is simply tt^*'> and not necessarily an initial state of AC. 

Moreover, we use the following standard abbreviations: Go = -• [1 JJ (“'o)]. Fa = 
[1 U a], [a U 6] = [a ]J 6] V Ga, '^a = -■'^-la, to = -•[1 t (“■a)], to = [1 t a], 
and [a tj 6] = [o t b] V ta. We distinguish between strong and weak variants of 
temporal operators by underlining the strong variant (a strong variant requires that the 
event that is waited for actually will occur or has occurred, or in case of t that really 
a previous point of time exists). Moreover, we introduce further Boolean operators as 
p Aft := -'{-<p V -'ft), p ^ Tp := -<p V ft, and {p = ft) := {p ^ ft) A {ft ^ p), 
with priorities V ^ A ^ ‘unary operators’ (Ar=o Vr=o unary). 

As an important notation, we write d>{p)x to denote that the variable x is replaced 
in by the formula p. This notation for substitution will be important in the following. 
Finally, we denote the length of a formula i.e., the number of its operators as \<P\. 

3 A Hierarchy of Temporal Logics 

Several acceptance conditions are distinguished for defining different classes of ut- 
automata ESEa. Acceptance conditions of the form G(/?o, Fy’o, A^o ^ 

^ Products of structures are defined in the usual way (see e.g., 11271 ). 

We assume the following definitions: fst((a, 6)) = a and snd((a, b)) = b. 
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FGtpo, GF(^ 0 i and Ar=o ^ determine the automaton classes (N)Detg, 

(N)Detp, (N)Detp^gfi^, (N)Detpg, (N)Detgp, (N)Detgj^ggjj, respectively, where all sub- 
formulas ipi and ipi are propositional. Det^ and N Det^ denote thereby the sets of de- 
terministic and nondeterministic tu-automata with acceptance condition of type k. The 
expressiveness of these classes can be illustrated as follows, where Ci ^ C 2 means 
that for any automaton in Ci, there is an equivalent one in C 2 . Moreover, we define 
Cl ~ C 2 := Cl ^ C 2 A C 2 ^ Cl and Ci ^ C 2 := Ci ^ C 2 A ~'(Ci ~ C 2 ). 



Detp 


DetcF 








Dct Streett 




Detprefix 




N Det^F 






DetG^ 


^DetpG 






vy 


N Det Streett 


8 


8 










NDetc 


NDetp 




NDetprefix 


a! 


N DetpG 



The above automaton hierarchy is closely related to the Borel hierarchy of topology 
m . As can be seen, it consists of six different classes, and each class has a deterministic 
representative. It can be shown that the nonemptiness problem for all automaton classes 
except for ( N ) Detgp and ( N ) can be reduced to the alternation-free /i-calculus, 

whereas (N)Detgp and (N)Det 5 j|,ggjj require /r-calculus formulas of alternation-depth 2. 
This is not only a theoretical issue, since the alternation-depth dramatically influences the 
runtime of the verification procedure (it reflects the number of nested fixpoint iterations 
of the model checking procedure). 

Manna and Pnueli were the first who investigated a temporal logic hierarchy in 
analogy to the above automaton hierarchy |2(7|. However, they only considered very 
restricted normal forms, namely formulas that are obtained by replacing the subformulas 
(fii and ipi in the acceptance conditions of the automata with formulas that contain only 
Boolean and past temporal operators. In the following definition, we present a completely 
new definition of a temporal logic hierarchy with syntactically much richer temporal 
logics. One can even show El that the future time fragments of these logics are as 
expressive as the logic themselves, so that past operators can be eliminated. 



Definition 3 (Temporal Borel Classes). 'We define the logics TL^ for k G {G, F, Prefix, 
FG, GF, Streett} by the following grammar rules, where TL^ is the set of formulas that 
can be derived from the nonterminal (V represents any variable v G V): 



Pg ::= V 1 -Pf 1 Pg A Pg 1 -Pg V Pg 
1 ^Pg I [Pg tj Pg] 

1 tPc 1 [Pg & Pg] 

1 XPg I [Pg U Pg] 


Pf ::= V | -Pg | Pf A Pf | Pf V Pf 
1 ^Pf I [Pf tj Pf] 

1 tPf 1 [^^F U Pf] 

1 XPf I [Pf U Pf] 


Pprefix ::= Pg \ Pf “'Pprefix Pprefix A Pprefix Pprefix V Pprefix 


Pgf ::= Pprefix 

“■-Pfg P*gf a Pgf Pgf V Pgf 

1 ^Pgf I ^Pgf I XPgf 

[Pgf tr Pgf] [Pgf ^ Pgf] 

1 [i^GF U Pgf] I [Pgf U Pf] 


Pfg Pprefix 

“■-Pgf Pfg A Pfg Pfg V Pfg 
1 ^Pfg I XPfg I ^Pfg 
[Pfg tr Pfg] [Pfg ^ P’fg] 

1 [Pfg U Pfg] I [Pg U Pfg] 


-f^Streett ■■ — \ ^fG \ ~'-f^Streett | -f^Streett ^ ^Streett | -f^Streett V -Pstreett 
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TLg is the set of formulas where each occurrence of a weak/strong temporal future 
operator is positive/negative, and similarly, each occurrence of a weak/strong temporal 
future operator in TLp is negative/positive. Hence, both logics are dual to each other, 
which means that one contains the negations of the other one. TLprefix is the Boolean 
closure of TLg (and TLp). The logics TLgf and TLfg are constructed in the same way 
as TLg and TLf; there are two differences: (1) these logics allow occurrences of TLprefix 
where otherwise variables would have been required in TLg and TLp, and (2) there are 
additional ‘asymmetric’ grammar rules. It can be easily proved that TLgf and TLfg are 
also dual to each other, and their intersection strictly contains TLprefix- Finally, TLstreett 
is the Boolean closure of TLgf (and TLfg)- 

Note that the ‘asymmetric’ grammar rules of the logics TLgf and TLfg can be 
eliminated due to the following equivalences: U V’] = U ■i/'] A F^/> and U ■0] = 

JJ 0] V Gip. In the following, we therefore neglect these asymmetric grammar rules 
to simplify the remaining consideration^ 

For the completeness of the logics TL^, we note that the logics TL^ (syntactically) 
strictly contain the logics defined in IGOI that are known to be complete with respect 
to counter-free Det^ automata. Hence, it is possible to translate any counter-free Det^ 
automaton to an equivalent TL„ formula, the other direction is proved in the following. 

4 The Basic Translation to cj -Automata 

Translations from temporal logics to equivalent w-automata have been intensively stud- 
ied. Common to most procedures is the consideration of the truth values of all subformu- 
las of the given formula. In particular, one considers the set of elementary subformulas 
of a given formula (p which is essentially the set of all subformulas of <P that start with a 
temporal operator. The states of the w-automaton that is to be constructed consist then 
of the truth values of these elementary formulas: If <P has the elementary formulas {^pi, 
. . . , we need n state variables {gi, . . . , to encode the state set, and therefore 
already see where the exponential blow-up of the automaton comes from. Clearly, for 
any run through the automaton, we want that qi = ipi holds. For this reason, the transi- 
tion relation of the automaton must respect the semantics of the temporal operators that 
occur in ipi. The following theorem shows however that it is not enough to only follow 
the recursion laws of the operators: 

Theorem 1. Given a formula <P with some occurrences of a variable x, and propositional 
formulas p and 0, the following equations are valid : 

-4a ({g}, l,Xg = p,<P{q)^) = p(Kp)x V <p(Kp)x 
-4a ({g}, 1, Xg = 0 V A g, ^(0 V g? A q)x) =P{[pU \/P{[p\j 0])^; 

-4a ({g}, 1, g = 0 V gj A Xg, P{q)x) = ^{[p U 0])a: V P{[p U tp])x 

As strong and weak operators fulfill exactly the same recursion laws, they can not be 
distinguished by transition relations alone. The next theorem shows that we can select the 
strong or the weak variant by either adding suitable initialization conditions or fairness 
constraints (for past and future operators, respectively). 

^ A simple rewriting procedure would however blow-up the formula which is not necessary when 
the translation procedures directly support the full logics 1281 . 
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Theorem 2 (Translating Temporal Logic to w-Automata). Given a formula <P, a vari- 
able X, and propositional formulas p and ip, the following equations are valid: 

({<?}, q, Xg = p, ^{q)x) 

<^(%p)x = Ae ({g}, -■g, Xg = p, <?(g)x) 

<P{[p tj ijf\)x = Ae ({g}, g, Xg = V’ V gj A g, ^(-ip V pA q)x) 

<P{[p ^ 'ip])x = Ae ({g},-'g,Xg = ipy p Aq,<P{ijj\/ p Aq)^) 

^{Xp)x = Ae ({g}, 1, g = Xp, ^{q)x) 

<P{[p U tp])x = Ae ({g}, l,g = '0 V pAXq,<P{q)x A GF[(/3 -)> g]) 

U 0])a; = Ae ({g}, l,g = P AXq,^{q)x A GF[g -)> t/'j) 

There is a subtlety concerning the X operator: If p contains occurrences of input variables, 
the transition relation of the automaton refers to the next input, which is normally not 
allowed for automat^ Theorem |2] can already be used to translate any temporal logic 
formula <P to an equivalent w-automaton 21^, if the laws are applied in a bottom-up 
traversal over the syntax tree of <P to abbreviate any elementary formula by a propositional 
one ll29l . 

Theorem 3 (Basic Translation). Given any formula <P G LTL, the laws given in theorem 
Scan be used to compute an equivalent NDetstreett automaton 21 in time 0{\<P\). 

A machine-checked proof of the above theorem can be found in the sources are 
available in the newest FIOL98 distributions. Although the automaton may have in the 
worst case 0(2l^l) states, we still compute it in linear time, since we use a symbolic 
representation, that is directly usable for symbolic model checking. 

5 Improving the Basic Translation 

5.1 Exploiting the Monotonicity of Temporal Operators 

Reconsider the translation procedure of the previous section: If we omit the fairness 
constraints, then we leave it unspecified whether the operator that is on top of the 
abbreviated formula was a weak or a strong one: For example, the automaton for- 
mula Ae ({g}, l,q = pJ \/ p A Xg, <P{q)x) is equivalent to d>{[p U tp])x V (P{[p U tp])x 
(cf. theorem [T). Our aim is therefore to find a simple condition so that <h{[p U ip])x V 
^{[p U 'ip])x = ^([v^ U ip])x holds. As p V g = g is equivalent to p — g, it follows 
that we must find a criterion for d> so that (h{[p IJ 'f])x U 4>])x holds. As 

[p\i_ip] -A [p U Ip] holds, this means in turn that we must study the monotonicity of 
temporal/Boolean operators (we define the partial order p < ft Q\p ^ ip]). 

It is not difficult to prove that all of our temporal operators are monotonic in all 
arguments. For example, G[o! -A a], and G[/3 — >■ /?] implies G ([a U /3] -A \a U/3]). 
Hence, checking the monotonicity of a temporal formula 'P{p)x in the argument x 
reduces to checking whether p occurs only under an even or odd number of negations. To 
be precise and concise, we use the notion of positive/negative occurrences in a temporal 
logic formula: An occurrence is positive/negative iff it appears under an even/odd number 
of negation symbols (we exclude implications and equivalences at the moment). It is 
straightforward to prove the following theorem: 

The alternative a: =Ag ({go,gi}, 1, (go = p) A (gi = Xgo), ^’(gi)a;) circumvents this. 
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function TopProp^(<?) 


case <P of 
is_prop(^) : 


return Aa ({}, 1, 1, {}, <?); 


^p : 


Ab {Q,p,I,p,n,f,,r,^,p') = TopProp^^(vj); 


p A'lp : 


return Aa {Qip,T,p,'R„p,T,p, -^p')\ 

Aa p' A tp') = TopProp^(v?) x TopProp^(t/>); 


pV tp : 


return Aa p' A ip')] 

Aa {Q<p,l<p,TZ<i,,J^<p, p A Ip') = TopProp^((/p) x TopProp^(t/)); 


Xp : 


return Aa T.t, p' V ip')] 

Ab {Q,p,l^,TZ^,T,f,p') = TopProp^(v3); q = new.var; 


[yj U t/>] : 


return Aa {Qip U {q},X,p,TZ,p A {q = Xp') , q)] 

Aa p' A Ip') = TopProp^(yj) x TopProp^(t/>); 


[pUtp] : 


q = new_var; TZq = [q = ip' y p' A Xg]; 

Tq = \i a then {} else {GF[ip' — >• g]}; 

return Aa {Q‘P U 7 ?.<f A TZq,lFi, U IFq,q)] 

Aa {Q<p,l-p,TZ^,d^-p, p' A Ip') = TopProp^(yj) x TopProp^(')/)); 


^p : 


q = new_var; TZq = [q = ip' V p' A Xg]; 

Tq = if a then {GF[g — >■ ip']} else {}; 

return Aa {Q'P U {g},T4>, TZ^. A TZq,T^ U IFq,q)] 

Aa {Qip,Xq,,TZq,,Tq,, p) = Top P Top^ (93) | q — new_var; 


^p : 


return Aa (Q,^ U {q},'!^, A q, TZq, A {Xq = p') ,Tq,q)] 
Aa {Qq,Xq,TZq,Tq, p') = Top P Top^ (93) j q ~ newwarj 


[ptj tp] : 


return Aa (Q,^ U {q},Tq A ~'q,TZq A {Xq = p') ,Tq,q)] 

Aa {Q<p,l<p,TZ<i,,d^<f, p A Ip') = TopProp^((/3) x TopProp^(i/>); 


[pXlf] : 


q = new_var; rq = ip' M p' A q] TZq = [Xg = r^]; 
return Aa (Q<*> U {g},Ti> A g, TZ^, A TZq,TF<f,rq)] 

Aa {Q<p,l-p,TZ^,d^-p, p' A Ip') = TopProp^(yj) x TopProp^(i/>); 


end case 
end function 


g = new_var; Xq = ip' V p' A q] TZq = [Xg = r^]; 
return Aa {Q'P U {g},T4> A ~<q, TZ^, A TZq,T^, r,); 



Fig. 1. Improving the Translation from Temporal Logic to u-Automata by Considering the Mono- 
tonicity of Operators 



Theorem 4 (Translation to w-Automata wrt. Positive/Negative Occurrences). 

Given a formula a variable x, and propositional formulas tp and fj. Then the following 
equation is generally valid, provided that any occurrence ofx in is positive: 

U tl)])x=A-5 ({g}, l,q = tl)y p ^Xq, <P{q)x) 

If on the other hand, any occurrence ofx in is negative, then the following holds: 

'^([<<3 U 'ip])j:=A3 ({g}, l,q = ipVpAXq, <P{q)x) 

Hence, fairness constraints need not be generated for positive/negative occurrences of 
weak/strong temporal future operators. This improves the translations of 13161 181291 . 
however, (8l already uses this improvement. An algorithm is given in FigurelTJ where a 
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denotes the signum of the occurrence. For convenience, we extended automaton formulas 
in the algorithm hy an additional argument for the constraints: A 3 (Q,2, 72., iF, 4>) = 

Fla 72, A andFla (Qi,Fi,72i,.F'i,<?i) x Fla (Q 2 , 12,722, J- 2 ,'^ 2 ) is 

dehned as Fla {Qi U Q 2 ,Ii A l2,72i A 722, U ^ 2,^1 A ^ 2 )- 

Theorems (Correctness of TopProp^(<?)). For any <P € LTL and the automaton 
formula A 3 (Q,I,TZ,lF,<Po) = TopProp^(<P) obtained by the algorithm given in Figure 
|7] we have the following facts: 

(1) TopPropg.(t?) runs in time 0 {fP\). 

(2) (pQ is propositional. 

(3) Each is of the form GF^' where is propositional. 

(4) For a = 1, the equation <F — A 3 (Q,F, 72, T , <Pq) is initially valid. 

(5) For (7 = 0, the equation ~<<1> = A 3 (Q,F, 72, T , -'(Po) ^ initially valid. 



5.2 Considering Finite Intervals of Interest 

We have seen above that the basic translation as given in Section 5]can be improved by 
exploiting the monotonicity of operators. This allows one to avoid the introduction of 
fairness constraints for all positive/negative occurrences of weak/strong operators. As a 
second improvement, we will now show that in the remaining situations, the operator 
strength can often be fixed by a simpler reachability constraint of the form Pp instead 
of a more expensive fairness constraint QPp. 

The key is thereby the following: Assume (p contains only positive/negative occur- 
rences of strong/weak temporal future operators. For any path tt with (/C, tt, 0) \= P, 
we must evaluate the subformulas of P for only finitely many points of time, i.e., all 
models of P do only depend on a finite prefix. Flence, it is not necessary to define state 
variables and such that the equations q,p = p and = ^/’ hold /or all points of 
time. Instead, it is completely sufficient that these equations hold long enough, i.e., for 
some finite interval. The key to our next improvement is therefore the following lemma: 



Lemma 1 (Solutions of q = f>\/ p A Xq). Given that the formula Q\q = fiy p A Xg] 
initially holds, then the following equations initially holds: 



(F(g ^ (t{q=[pU 



G [(^F(g ^ tp)) (G(g = [v? U /;]))] 



This lemma is used as follows: Whenever a state variable q always satishes the fixpoint 
equation q = ip M p A Xq, and at some point of time f{q^ip) holds, then it follows 
that q is uniquely dehned up to this point of time, since q — \p\)_ip] holds up to this 
point of time. Hence, we can still abbreviate an elementary subformula \p IJ ip] with a 
new state variable q by adding the equation q = ipV p AXqto the transition relation. At 
the end of the interval I where we need to evaluate \p\fip], we demand that P{q ^ ip) 
must hold (this can always be demanded, since F([(/j U />] -A ip) is generally valid). 

It remains to dehne for each subformula the maximal point of time, where it must 
be evaluated. It is to be noted that nestings of temporal operators extend these intervals, 
since at the end of the interval of the outermost operator, we need to evaluate the inner 
ones. An algorithm that keeps track of this, is given in Figure |2] 
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function BorelFGo-(<?) 


case 45 of 
is_prop(<f) : 


return .43 ({}, 1 , 1 , {}, <?); 


-•ifi : 


V?') = BorelFG^CT(<4); 


ifi Afi : 


return A 3 {Q^Av^Pv^Pv>^ 

Ab (Qs.,Pji, 7 ?. 4 .,P<f , p' A Ip') = BorelFGo-(v 5 ) x BorelFGo-(V'); 


(fiV Ip : 


return A 3 {Q,p, 1 ‘P,P^,P‘P, v' A f')] 

Ala (Q#,Xp, 7 ?.<f,Psi,</ 3 ' A t/)') = BorelFGo-(</ 5 ) x BorelFGo-(tA); 


X(p : 


return A 3 {Q<p,T*^P'I‘,P*, 'p' V tp')\ 

A 3 (Qv>,P<p,P<p,Pv>i ‘fi') = BorelFGCT(v3); ? = new.var; 


[‘pUtp] : 


if P^ f {} then := {X ?} end; 

return A 3 {Qip U {q},I‘P,P‘P A (<? = Xp') ,F<p, q)\ 

v4b A A t/^O = BorelFGo-(</ 5 ) x BorelFGo-(t/>); 


[‘pUtp] : 


q = new_var; TZq = [q = %p' \/ p' A X(/]; 

Fq = \ta then {} else |f [(<p' q) A 
return .4b (Q<p U {q},T^,TZ 4 ‘ A TZq,Fq,q)\ 

v4b A A t/^O = BorelFGo-(</ 3 ) x BorelFGo-(V'); 


: 


q = new_var; TZq = \q = tp' \/ p' A X(j]; 

Fq = ita then |f [^(5 -)> ip') A 

return .4b (Q<p U {q},I^,P'i’ A TZq,Fq,q)\ 

A 3 {QipAv,Pv,Pv, A) = BorelFGCT(</a); q = new_var; 


: 


return .4b {Qq> U {q},Tv A <7, Pv A {Xq = p) , Pip,q)', 
A 3 {Qtp,Fip,Pv,Pv, A) = BorelFGo-(v3); ? = new_var; 


\p\f Ip] : 


return A 3 {Qq> U {q}Av A ~ig, TZq, A [Xq = p') , Fq,, q)\ 

v4b (Q#,P<p,7?.<f , Pii, A A t/^O = BorelFGcr(<p) x BorelFGo-(V'); 


[p'^'ip] : 


q = new_var; Vq = ip' V p' A q\ TZq = [Xg = Tq]\ 
return .4b (Q^ U {(/},P# A q, TZ^ A TZq,F.p,rq)', 

A 3 A A Ip') = BorelFGo-(y’) x BorelFGo-(V'); 


end case 
end function 


q = new_var; Vq = ip' V p' A q\ TZq = [Xg = rq]\ 
return .4b (Q<p U {q},T^‘ A -^q, TZ^ A TZq,Tq>, Vq)] 



Fig. 2. Considering Finite Intervals of Interest 



Theorem 6 (Correctness of BorelFGCT(^)). For any G TLpc and the automaton 
formula {Q,I,TZ,J^,d>o) = BorelFGo-(^) obtained by the algorithm of Figure^ 
the following holds: 

(1) BorelFGo-(^) runs in time 0{\<P\). 

(2) d>Q is propositional. 

(3) Each ^ G IF can be derived from the nonterminal Cf by the following grammar: 

Pprop ::= V I -'Pprop I Pprop A Pprop | Pprop V Pprop | ^’Prop ~ f ^’Prop 
Cf ::= FPp.op | F (Pp.^p A Cf) | XCf | Cf A Cf 

(4) For a = 1, the equation <F = A-^ (Q,2i, P, P , ^o) initially valid. 

(5) For (7 = 0, the equation ~<<1> = A-^ (Q,2i, P, P ^ ~'^o) ^ initially valid. 
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For example, the formula U t/>] ]J 7] is translated by introducing new state vari- 
ables p,q with appropriate transition relations and the reachability constraint T = 
{F [(q — >■ 7) A F(p — >■ V')]}- For the proof of the above theorem, we used initially valid 
formulas of the following form to establish the invariants; 

^ G(;p — ?> (/?o) A G (Xip t [ifQ = A ^ 

G(t/) = V']) A 

yQ[q = ipo ^Xq] ^ Q {v {[q tpo] A A Cv>) ^ ^ = [<F U ip])^ ^ 

The above formula is used in the induction step for [tp U ■0] . X Ci/> thereby the 

reachability constraints that have been obtained from the translation of the subformulas 
(/? and Ip. Due to the definition of TLfg, we always have the monotonicity conditions 
G{(fi — ?► 1 ^ 0 ) G{tp — >■ iPq), so that the conjunction of the transition relation with 
q = 'ip^y AY.q will fix q as desired whenever F ([g — >■ '0o] A A C?/>) holds. 



5.3 Translation by Closures 

The automaton obtained by the function BorelFG does not right fall into one of the 
automaton classes. However, it is easily seen that we can reduce it to either a NDetp or 
an N DetpG automaton. For reasons of efficienc30, we choose the latter class for a further 
translation. This further translation is based on a simple bottom-up rewriting with the 
equations of the following lemma; 



Lemma 2 (Closures of NDetFG)- Given a propositional formula p, and NDetpG 
tomata 21 ^ = Slijr = AI 3 !?Xj FGS(^) with 

n = {}> the following equations are generally valid: 



- Vp = A-^ ({g}, -ig, [-ig /\->p f\ -•Xg] V 
( Q\J {p},-'p V 

[-■p A ~'Xp] V 
[-ip A X (p A A p)] V 
[p A ^ 7 ?, A Xp] , 

\FG(p A 

'QU{p},-.p, 

- X [21^.] = Xla I Xp a Xp a Xt^x] V [p A A Xp] 



— F (<p A 21^) = A^ 



q A p A Xg] V [g A Xg] , FGg) 

\ 



/ 



y FG<?x / 

- p A 2lg) = Xla (Q<7), d>x A p, FGt^x) 

- 2l<f A 2lifr = A 3 (Q<z> U Qxr, ^x A >Px, A Wn, FG(^x A 



The above equations are not hard to prove. The reader is asked to draw the transition 
systems to convince himself/herself of the correctness. Using BorelFG and the above 
closures, we can now translate any TLf q formula to an equivalent NDetpG automaton 
with linear runtime and memory requirements (cf Figure]^. 

^ We only need the conjunction of automata, and never the disjunction. As FGp A FGip = 
FG {p A Ip) is valid, we can easily compute the conjunction of NDetpc automata, which is not 
so simple for NDetp automata. 



50 



K. Schneider 



6 The Final Translation 

The algorithms of the previous sections already allow us to efficiently translate any 
TLpG formula to an equivalent NDetpc automaton with only linear runtime and mem- 
ory requirements. This is important since each formula that can be translated to the 
alternation-free /r-calculus has an equivalent TLfg formula, since it can be translated 
to NDetpG- Therefore, with symbolic model checking, these formulas can be more effi- 
ciently checked than arbitrary LTL formulas, and our experiments show that the verifi- 
cation procedures are almost comparable to CTL model checking (see also [E2l). 

The translation procedure for TLfg can also be used to enhance the translation of 
arbitrary LTL formulas. To see this, it is convenient to use the notion of templates: is a 

template of !?', if S' can be obtained from (p by replacing some occurrences of variables 
in <P with some other formulas {<P matches with tZ/). It is straightforward to compute from 
any temporal logic formula <P the largest template that belongs to TLfg - To perform this 
computation, we simply traverse the syntax tree of P and abbreviate any subformula that 
violates the grammar rules of TLfg by anew state variable by application of TopProp to 
that subformula (having this view, TopProp is also an extraction procedure that extracts 
the largest propositional template). The resulting function TopFG is very similar to 
TopProp, and also runs in linear time lESl . 

Theorem 7 (Algorithm TopFG). There is an algorithm TopFG such that for any tem- 
poral logic formula P € LTL, and the automaton formula (Q,I,TZ,iF,Po) = 
TopFGg.(t?), the following holds: 

(1) TopFG£,.(^) runs in time 0{\P\). 

(2) If (j = 1 holds, we have Pq G TLfg. otherwise, we have Pq G TLgf- 

(3) Each ^ G IF is of the form GF^' where is propositional. 

(4) For a = 1, the equation P = A-^ TZ, Pq A initially valid. 

(5) For (7 = 0, the equation —'P = Ala I, TZ, —'Pq A A^g.?' initially valid. 

Given any formula P G LTL, we can therefore apply the function TopFG to extract 
the largest template of P that belongs to TLfg- This template is then translated by 
BorelFG and the closure equations to an equivalent N DetFG automaton (without fairness 
constraints). Note that TopFG still introduces fairness constraints, but Borel FG does not. 

This translation procedure can be further improved. To explain this, we need to note 
that the hnal automaton problems can be reduced to fair GTL model checking problems 
due to the following lemma, where E is the existential path quantifier (Etp holds on a 
state s if there is a fair path starting in s that satisfies p): 

Lemma 3 (Reducing w-Automata Model Checking to GTL Model Checking). Given 
an automaton formula 21 = A^ {Q,TT, TZ, T) so that T does not contain past temporal 
operators. Then, the following is equivalent for any structure K,, and any state s oflC: 



- (IC,s) h EA^{Q,I,TZ,J^) 

— there is a IT C QUV such that (/C x /Ca, (s, D)) \= I A EiF and C{s) = fl 12 
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function Automaton (OnZj/Mono, useBorel, toCTL,<l>) 
if OnlyMono then return TopProp]^($) end; 

Ab {Qo,To,TZo,To,'1'o) = TopFGi(<f); 
if useBorel then // translate to reachability automaton 

Ab = BorelFGi(<15o); 

h := Ii A 

else // extract top-level TLpe formula 

^3 {Qi,Xi,ni,<Pi) = TopPEi(<^o); 

end; 

// in any case, we now have £ TLpe 
if toCTL then // translate to CTL 
X >2 ■- LeftGTL2GTL(<?i); 
return Ab (So U Qi,To A Ti, TZo A TZi, J-o, ^2)', 
else // apply closure theorems 

Ab (Q2,T2, T?.2, ^fg) = close(^i); 

return ^3 (Qo U Qi U Q2,To A Ti A T2,TZq A TZi A Ti.2, 

end function 



Fig. 3. The Final Translation from LTL to oj- A utomata or GTL Model Checking 



Hence a reduction to the standard automaton classes is not necessary. Instead, a reduc- 
tion to an ‘ ut -automaton’ Ab TZ, IF) would be sufficient so that can be easily 

translated to a CTL formula. For our model checking tool, this view offers another 
alternative to the translation to simple w-automata that is already contained in the algo- 
rithm of FigureH Using OnlyMono = 1 will simply call TopProp for the translation. 
Otherwise, we extract the largest template <Pq of <P that belongs to TLfg- Using the flag 
useBorel, we then have the choice to either apply BorelFG to compute an automaton 
Ab (Qi,Ti, 72-1, iTi, <? i) where is propositional and the constraints of obey the 
grammar rules of theoremEl or to reduce to an automaton Ab ( Qi , Ti , TZi ,<bi) where 

belongs to the following logic TLpe: 

Definition 4 (The Linear Time Fragment of LeftCTL* f26ll ). We define the logics 
TLpE and TLpA by the following grammar rules, where TLpE and TLpA are the sets of 
formulas that can be derived from the nonterminals Pp£ and Ppi\, respectively, where 
the rules of Pp^p are given in theorem^ 

PPA ::= V PpE ::= V 

I “'F’pE I F’pA a PpA I Pp^ V PpA I -'PpA I PpE A PpE | PpE V PpE 

I XPpA I GPpA I FPprop I XPpE I GPprop | FPpE 

I [PpA U Pprop] I [PpA U Pprop] | [Pprop U Ppe] | [Pprop U Ppp] 

Obviously, we have TLpe ^ TLfg and TLpa C TLgf, and both inclusions are strict. 
It is therefore possible to modify our function BorelFG to a new procedure TopPE that 
does not abbreviate all temporal operators until a propositional formula is obtained, but 
only those that violate the grammar rules of TLpe and TLpa, respectively. 

The reason why we want to extract the largest TLpe template of a TLfg formula is 
that in t26l . it has been shown that all formulas of the form E<b with <P G TLpe can be 
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translated to CTL. Note further that the reachability constraints generated by BorelFG 
do also belong to TLre. Therefore, after the application of either BorelFG or TLre, we 
have the choice to either translate by means of closure theorems or by a translation to 
GTL. This is controlled by the remaining flag toCTL. 



1 Experimental Results 



The presented translation procedures have been implemented in ML as a plug-in for 
the theorem prover HOL lfT?)ll and as a Java Applet that can be accessec@ via a WWW 
browser with a Java virtual machine. Some experiments have already been made that have 
clearly shown that the presented translation procedures often outperform existing tools. 
To illustrate this with a practical example, we consider the verification of the arbitration 
process given in ll^ . The specification we verified for this arbitration process is the 
following property that assures that no process is indefinitely ignored O: 



G 


( ) ^XF/^ 


AG 


n 

A (ft' [ft' u «/]) 




L \i=i / J 




U=1 J 




termination of access 




persistent requests 



n 

G A [ft 

j=i 



fairness 



We have checked this specification using different translation procedures. The memory 
consumptions and runtime requirements on a Pentium-III@450MHz with 256 MBytes 
main memory with CMU-SMV 2.4.3 as backend model checker are given in Figure 4. 




Fig. 4. Experimental data for the verification of the arbitration process 



The above results have been obtained by optimized variable orderings. The basic trans- 
lation introduces 2n + 4 fairness constraints for n processes, while TopProp will only 
generate three, and using useBorel even none (note that the negation of the specification 
is translated). Note that all the LTL model checkers of the SMV family, i.e., CMU- 
SMV 1121 1611 . CADENCE-SMV II22II . and NuSMV lU only use - beneath some other 



http://goethe.ira.uka.de/~schneider/my_tools/TempLogicTool 
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improvements, different from the ones presented here - the basic translation of theorem 

E] 

We have had similar experiences with other experiments (we checked over 10000 
randomly generated LTL formulas with up to 100 operators). We therefore claim that 
our translations outperform state-of-the-art symbolic model checking tools for LTL. 
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Abstract. Recently, local logics for Mazurkiewicz traces are of increas- 
ing interest. This is mainly due to the fact that the satisfiability problem 
has the same complexity as in the word case. If we focus on a purely lo- 
cal interpretation of formulae at vertices (or events) of a trace, then the 
satisfiability problem of linear temporal logics over traces turns out to be 
PSPACE-complete. But now the difficult problem is to obtain expressive 
completeness results with respect to first order logic. 

The main result of the paper shows such an expressive completeness 
result, if the underlying dependence alphabet is a cograph, i.e., if all 
traces are series parallel graphs. Moreover, we show that this is the 
best we can expect in our setting: If the dependence alphabet is not a 
cograph, then we cannot express all first order properties. 

Keywords. Temporal logics, Mazurkiewicz traces, concurrency 



1 Introduction 

Trace theory, initiated in computer science by Mazurkiewicz m is one of the 
most popular settings to study concurrency. The behavior of a concurrent process 
is not represented by a string, but more accurately by some labelled partial order. 

A suitable way for a formal specification of concurrent systems is given by 
temporal logic formulae which in turn have a direct (either global or local) in- 
terpretation for Mazurkiewicz traces. It is therefore no surprise that temporal 
logics for traces have received quite an attention, see |llldll4ll5lltill8j . In [T7] 
it was shown that the basic (global) linear temporal logic with future tense op- 
erators and with past tense constants is expressively complete with respect to 
the first order theory of finite and infinite traces {real traces). In we have 
obtained the same result but without any past tense modalities by quite differ- 
ent proof techniques (which will be used here again). This positive result has 
solved a long standing open question inii. The price of this logic is an ex- 
tremely difficult satisfiability problem, it has been shown to be non-element ary 

* Partial support of EC-FET project 1ST- 1999-29082 (ADVANCE), CEFIPRA- 
IFCPAR Project 2102-1 (ACSMV) and PROCOPE project 00269SD (MoVe) is gra- 
tefully acknowledged. 
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by Walukiewicz . The main reason for this difficulty is the global interpreta- 
tion of a formula which makes it necessary to speak about configurations, i.e., we 
give an interpretation of a formula for a trace with respect to some finite prefix 
- and the prefix structure of a trace is much more complicated than in the case 
of linear orders (words) . If we give a local interpretation such that each formula 
can be evaluated at a single vertex (or event), then we obtain logics where the 
satisfiability problem is still in PSPACE. This is in particular the case for the 
logic TLC, which has been introduced by Alur et al. in pp. The logic has been 
extended and studied in detail by Henriksen in m- The logic TLC uses an 
existential version of the until-operator, which is not expressible in first order, 
in general (Section EJ . On the other hand, it seems also too weak to express all 
first order properties for all dependence alphabets. 

In our paper, we shall use a universal version of the until-operator, which, by 
its very definition, is first order definable. The main result of our paper shows 
that we obtain a local logic which is expressively complete, if the underlying 
dependence graph is a cograph, i.e., every trace is a series parallel graph (or 
iV-free). This result is robust, the same holds for TLC or other variants how 
to define a semantics to the until- operator. Moreover, we show that cographs 
are in some sense the limit where we can expect such a positive result. As long 
as we use no past tense modalities we cannot specify all first order properties 
by our logic, whether or not the until is existential or universal or whether we 
have both options. Our main theorems (Thms. [21 El) are therefore if-and-only-if 
statements. 

In the final section we will see that a universal until does not change com- 
plexity issues very much. The satisfiability problem of TLC augmented by this 
operator can still be solved in PSPACE. 

For lack of space, we cannot give full proofs in this extended abstract. 

2 Preliminaries 

We briefly recall some notions concerning Mazurkiewicz traces. For the back- 
ground we refer to [Ij. A dependence alphabet is a pair (A, D) where the alpha- 
bet A is a finite set and the dependence relation A C A x A is reflexive and 
symmetric. The independence relation I is the complement of D. For A C A, we 
denote I{A) = {b G S \ (a,b) G I for all a G A} the set of letters independent 
from A and we let D{A) = A \ I (A) be the set of letters depending on (some 
action in) A. 

A real Mazurkiewicz trace is (an isomorphism class of) a labelled partial 
order t = [P, <,A] where P is a set of vertices, A : P — >■ A is the labelling, < 
is a partial order over P satisfying the following conditions: For all x gV , the 
downward set {y GV \ y < x} is finite, (A(a:), \{y)) G D implies x < y or y < x, 
and X <y implies {X{x),X{y)) G D, where < = < \ <^ is the direct successor 
relation in the Hasse diagram of t. 

The alphabet of the trace t is the set alph(f) = A(P) C A and its alphabet at 
infinity alphinf(t) is the set of letters occurring infinitely often in t. The set of 
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all traces is denoted by D) or simply by K. A trace t is called finite, if V 
is finite. For t = [V, <, A] G M, we define min(t) C as the set of all minimal 
vertices of t. We can read min(t) C S also as the set of labels of the minimal 
vertices of t. It will always be clear from the context what we actually mean. If 
t is finite, we define max(<) C y as the set of all maximal vertices of t and we 
also use max(t) C E for the set of labels of the maximal vertices of t. Note that 
max(t) is only defined when f is a finite trace, though the definition would make 
sense also for infinite traces. 

We define the concatenation of two traces ti = [Fl,<i,Ai] G M and ^2 = 
[b2,<2) A2] G M verifying alphinf(fi) x alph(t2) C J by fi • ^2 = [^)<> A] where 
V = Vi U V2 (assuming w.l.o.g. that Vi fl V2 = 0 ), A = Ai U A2 and < is 
the transitive closure of the relation <1 U <2 U {V\ x V2 H X~^{D)). The set 
of finite traces becomes a monoid which is denoted by M(A 7 ,iA) or simply by 
M. The empty trace 1 = ( 0 , 0 , 0 ) is the unit element. Also, if A C A, we let 

= {a; G M I alph(a;) C A} and = M fl We also define M+ = M \ { 1 } 
and = M+ fl M^. 

Our main results concern dependence alphabets which are cographs. Accord- 
ing to standard graph theoretical notions, a dependence alphabet is called a 
cograph, if it belongs to the smallest class of graphs which contains singletons 
and which is closed under the operations of disjoint union and complementation. 
Clearly, (E,D) is a cograph if and only if the independence alphabet (E,I) is a 
cograph. It is well-known that an undirected graph is a cograph if and only if it 
does not contain any P4 (a line of 4 vertices) as an induced subgraph [2j. It turns 
out that (A, D) is a cograph if and only if all t G M(A, D) are series parallel 
graphs, i.e., we can build up the trace starting with letters by taking serial and 
parallel products. In particular, every such trace is A^-free, i.e., whenever there 
are four vertices a, b, c, d with a < b, c < b, and c < d, then there is at least one 
more ordering between them. 

We shall use the algebraic notion for recognizability: Let /i : M — ?> S' be a 
morphism to some finite monoid S. For x,y € R, we say that x and y are h- 
similar, denoted by x y if either x,y € Wl and h{x) = h{y) or x and y have 
infinite factorizations in non-empty finite traces x = X\X2 ■ • y = yW2 ■ ■ • with 
Xi, yi G M+ and h(xi) = h{yi) for all i. We denote by the transitive closure of 

which is therefore an equivalence relation. Since S is finite, this equivalence 
relation is of finite index with at most |Sp -I- |S| equivalence classes. A real trace 
language L C K is recognized by h if it is saturated by i.e., x G L implies 
Q L for all a; G K. 

Let L C K. be recognized by a morphism /i : M — >■ S and A C A. Then, 
L n and L fl Ra are recognized by the restriction h \m a- 

A finite monoid S is aperiodic, if there is some n > 0 such that s” = 
for all s G S. A real trace language L C M is aperiodic if it is recognized by 
some morphism to some finite and aperiodic monoid. We denote by AP(A, A) 
or simply by AP the set of aperiodic languages L C R(A, A). If A C A, we use 
the notation AP^i for the aperiodic languages over Ryj. 
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In the following we shall use the well-known equivalence between first-order 
definability and aperiodic languages. The first order theory of traces is given by 
the syntax of FOi;(<): 

If ::= Pa{x) \ X < y \ \ fV (fi \ {^x)f, 

where a G S and x,y G Var are first order variables. Given a trace t = [V, <, A] 
and a valuation a of the free variables into the vertices, the semantics is obtained 
by interpreting the predicate Pa{x) by A(cr(a:)) = a and the relation < as the 
strict partial order relation of the trace t. Then we can say whether or not 
t, tr ^ If is a sentence, i.e., a closed formula, then we define the language 
C{f) = {t G R I t 1= f}. We say that a trace language L C R is expressible 
in FOi;(<) if there exists some sentence f G FOi;(<) such that L = C{f). We 
denote by FO(i;, £>)(<) the set of real trace languages L C R(i7, D) such that for 
some sentence f G FOi;(<) we have L — £{ip) 

Theorem 1 (pUSl). A language L C R(d7, D) is expressible in FOi;(<) if and 
only if it is aperiodic, i.e., FO(i;_£))(<) = AP(Z’, D). 

We say that a first order formula is in FO^(<) if it uses at most n first order 
variables (it may use each variable several times) . 

3 Local Temporal Logics for Traces 

In this section, we introduce the local temporal logic over traces and its seman- 
tics. We restrict ourselves to future modalities (partly for lack of space), but of 
course, dual past tense modalities can also be defined and whenever we state 
that a fragment is in FOi;(<), then the fragment augmented by the dual past 
tenses will have the same property. In the next sections we specialize the logics 
by considering various subsets of the modalities. We say that a temporal logic 
over traces is local if it is evaluated at the vertices of the trace as for first or- 
der formulae. This is in contrast with global temporal logic formulae that are 
evaluated at global configurations of the trace, i.e., at finite prefixes of the trace. 

For global formulae, we say that a trace is a model of a formula if it sat- 
isfies the formula at the empty configuration. There is no such canonical way 
to interpret a formula at some trace without fixing some vertex since there is 
no canonical vertex in the trace where to start the evaluation of the formula. 
Natural vertices are the minimal ones but a trace may have several minimal 
vertices. We have chosen to introduce initial formulae to address this problem. 
There are other possibilities, like adding a unique minimal dummy, but then 
the logic becomes more expressive and we are mainly interested in expressive 
completeness (with respect to first-order) for a weak fragment of our logic. 

We start with the definition of (internal) formulae that are evaluated at 
vertices. The syntax of LocTL'^(EX, U, EU) is given by 

(f ::= T I a G if I \ f\/ f\ EX f \ f\) f \ ipE\) f. 
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The symbol _L means false, EX ip claims that p holds for some immediate suc- 
cessor of the current vertex; if \s & universal until claiming that ip holds for 
some vertex above the current one and that p holds for all vertices in between; 
on the contrary, p is an existential until claiming the existence of some 

path starting at the current vertex in the Hasse diagram of the trace where p 
holds until ip does. Formally, the semantics is inductively given as follows. Let 
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R and let x G E (we also write 


X G t). 
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= -iT, hence T means true. 


We derive some more operators 



from the above ones. Eventually p claims the existence of some vertex where p 
holds above the current one: F = T U (/? = T EU (^. Its dual operator, always 
p, means that p holds at all positions above the current one: Gp = -ip ~'P- 

The initial formulae LocTLi;(- • •) are defined by the syntax 

a ::= T | EM p \ -■« | a V a 

where p G LocTL‘ 2 ;(- • •). Intuitively, EM p means that p holds at some minimal 
vertex. Formally, the semantics is given by 

t ^ EM p if 3x G min(t) with t,x \= p 
t 1= —■a if t Y= cx 
t|=aV/3 if t\= a or t\= [3 

The dual AM = -'EM ^p means that p holds for all minimal vertices. One can 
show that each initial formula is equivalent to a finite disjunction of formulae of 
the form AM p A AosA ® with p G LocTL*jn(- • •) and AGl S. 

An initial formula a G LocTLi;(- • •) defines the language £(a) = {t G M | 
t \= a} and we say that a trace language L C K is expressible in LocTLi;(- • •) if 
there exists an initial formula a G LocTLi;(- • •) such that L = £{a). We denote 
by LocTL(i;_£))(- • •) the set of languages over M.{S,D) that are expressible by 
some local temporal formula using the modalities (•••). 

With local temporal formulae, we can express various alphabetic properties. 

(a G min) = EM a 

{a G alph) = EM F a 

(a G alphinf) = EM(F a A G(a EX F a)) 

It is clear from the semantics of EX and U that all trace languages expressible 

in LocTLi;(EX, U) are also expressible in FOi;(<), and even in FO|;(<). This 
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is however not true in general for the existential until EU as shown in the next 
example, 
if for all 

Note that if two traces ti and t 2 have the same minimal letters and for all 
minimal letters the corresponding upper sets in t\ and ^2 are the same, then the 
two traces cannot be distinguished by any formula in LocTLi;(EX. U, EU). The 
following example for such a situation has been taken from Walukiewicz [21j : 



ti — 





Since ti and t 2 are clearly distinguishable in FOi;(<), we deduce that a pure 
future local temporal logic cannot be expressively complete for FOj;(<) as soon 
as {S, D) is not a cograph. Note that it is easy to distinguish ti from t 2 if we 
allow some past tense modalities or if we introduce a dummy minimal vertex. 
One can also show that the language ad{bc)* C M of finite traces is first order 
but cannot be expressed in LocTLi;(EX, U, EU). 

We are interested in the expressive completeness of pure future local temporal 
logics. The simple example above shows that we can restrict our study to traces 
defined by a dependence alphabet that are cographs. 

The following lemma shows that we can localize initial formulae. 

Lemma 1. Let a € LocTLi;(EX, U, EU) be an initial formula. There exists an 
internal formula loc(a) € LocTL' 2 ;(EX, U) such that for all t = t\t 2 G M and 
X G max(ti) with min(t2) Q have t 2 \= a if and only ift,x ^ loc(o;) . 

The same holds for the fragment LocTLi;(EX, U). 

Proof. Clearly, we have loc(aV/3) = loc(a) V loc(/3) and loc(-ia) = -■loc(a). The 
interesting case is EM ip where G LocTL*. We have, loc(EM ip) = EX(ip). □ 

4 Universal Until 

In this section, we consider the fragment of the local temporal logic using next 
and the universal until, only. We give the following characterization of the ex- 
pressive completeness of LocTLi;(EX, U) with respect to FOi;(<). 

Theorem 2. Let (E, D) be a dependence alphabet. Then we have the equality 
LocTL(^_c)(EX,U) =F0(£, D){<) if and only if{E,D) is a cograph. 

We have seen in the previous section that LocTLj;(EX, U) is not expressively 
complete, if {E, D) is not a cograph. Conversely, for all dependence alphabets, 
we already know that LocTL(x’,d)(EX. U) C FO( 2 ;d)(<) and that first order 
languages coincide with aperiodic languages (Theorem [T). Hence, in order to get 



Local Temporal Logic Is Expressively Complete 



61 



the converse inclusion, we will prove that AP C LocTL(^ _£))(EX, U), if (A, D) is 
a cograph. 

Before going into the proof, we derive an immediate corollary. It is well-known 
that for words, all first order languages can be expressed with only 3 first order 
variables. This result has been extended to traces by Walukiewicz [^. In the 
special case of (A, D) being a cograph, we get this result as a trivial consequence 
of Theorem [2l 

Corollary 1. If{E,D) is a cograph, then FOs{<) =FO|;(<). 

If (A, D) is a cograph, then either A is a singleton, or E is the disjoint union 
of two non empty sets S = AU B with either AxBQI or AxB<ZD. We 
consider these three cases in turn. 

Assume that S = {a}. Then, traces over E coincide with words over E and 
the semantics of EX and U coincide with the semantics of the usual next and 
until modalities over words. Therefore, by Kamp’s classical theorem we 

obtain the claim in this case. 

Next, we consider the case where the alphabet is the disjoint union of two 
independent subset. This means R(A, D) = x M.b is a direct product. 

Proposition 1. Assume that E = AUB with AxB C I. If we have both APyi C 
LocTLa(EX, U) and AP^ C LocTLs(EX, U), then AP^; C LocTL(j; £i)(EX, U). 

The last case and the most interesting one is when the dependence alphabet 
is the disjoint union of two fully dependent subsets: E = AU B with An B — (f) 
and A X B C D. In this case, the trace monoid M is the free product of the 
monoids and M^. 

Proposition 2. Assume that E = A\J B with AC\ B = ^ and A x B C D. If 
we have both AP^ C LocTLy!i(EX, U) and AP^ C LocTLs(EX, U), then AP^; C 
LocTL(^,c)(EX,U). 

Our proof is inspired by a technique introduced by Wilke |23] in order to show 
that aperiodic languages over words are expressible in LTL. This method was 
then extended in order to cope with traces: We have shown in that the most 
natural global temporal logic over traces is expressively complete with respect 
to FOi:(<). 

We use several splittings of languages in products. We shall use the following 
composition lemmas to get the expressibility of the products from the expressibil- 
ity of their components. We assume until the end of this section that E = AVJB 
with An B — % and A x B C D. 

Lemma 2. Let L C be a language expressible in LocTL^(EX, U). Then, the 
language {L IT Mjj) • (min C B) is expressible in LocTL^(EX, U). 

Lemma 3. Let a S LocTLyi(EX, U). The language (max C B) ■ Ca{ol) is defin- 
able in LocTLi;(EX, U) by the formula 

^(alph C A) A V ^(alphinf C A) A EM(f(B A -■ EX F i? A loc(o;)))^ . 
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Lemma 4. Let L C be a language expressible in LocTLi;(EX, U). Then, the 
language {L fl (max C B)) ■ is expressible in LocTLi;(EX, U). 

We consider the set A = MU ((alphinf % A)r\ (alphinf ^ B)). Note that A is 
expressible in LocTLi;(EX, U) since it is characterized by alphabetic information. 
Each trace x G A has a unique (finite or infinite) factorization x = X1X2 • • ■ in 
non-empty finite traces alternating Mj( and Mg. 

Let h : M — >■ S' be a morphism into some finite aperiodic monoid S. Let 
T = h(M+) and let e : T* — >■ S be the evaluation morphism. Using the unique 
factorization of elements x G A, we can define a mapping a : A ^ T°° by 
o{x) = h{xi)h{x2) ■ ■ ■■ This mapping u allows to reduce our problem to words 
over the alphabet T. 

Lemma 5. Let L C K. &e reeognized by h. Then, L C\ A = a~^{K) for some 
language K G T°° expressible in LTL7’(XU). 

Proof. Let K = [a{L fl A)]~^. By definition, K is recognized by the evaluation 
morphism e into the aperiodic monoid S. Hence K is an aperiodic word language 
over T. Since, by Kamp’s Theorem on words, APt = FOt(<) = LTLt(XU), we 
deduce that K is expressible in LTLt(XU). Therefore, it remains to show that 
Ln A = The inclusion Ld A C a~^{K) is clear. 

For the converse inclusion, let y G There exists x G Ld A such that 

o'(x) «e ct(j/). Note that x is finite iff y is finite and in this case h{x) = e{a{x)) = 
e{<j{y)) = h{y). Therefore, y x G L and we deduce y G L. Assume now that 
X and y are both infinite. Using the following claim we also have y x and we 
deduce as above that y G L. 

Claim: Let x = X1X2 • • • G M and y = yiy2‘‘‘ G M with Xi,yi G M+. If 
h(xi)h(x2) • • • «e h{yi)h{y2) ■ ■ ■, then x^ij^y. □ 

In order to make use of the previous lemma, we need to lift through an 
LTL formula over T to some local temporal formula. This is the purpose of the 
next lemma. 

Lemma 6. Let f G LTLt(XU). There exists a formula f G LocTLi;(EX, U) 
such that £(/) = cr~^(£(/)). 

Proof. The lemma is shown by structural induction on the formula /. First, 
T = T,(p\/if = (p\/if, and Cip = A A -•ip. Now, it can be shown that p XU if 
equals 

Z\AEm(((AaEXA)V(HAEXH)v 1 oc(^))U(((AaEXH)V(HAEXA))a 1 oc(^))) 
It remains to deal with the case f = s with s G T. We have £(s) = sT°° and 
a~\sT°°) = A n ((h-i(s) nM+)(min CB)U {h~\s) dM+) {min C A)). 
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The language h~^{s) fl is recognized by h fwiA and is therefore an aperiodic 
language over Since we have assumed AP^ C LocTL^(EX, U), the language 
h~^{s) nM^ is expressible in LocTL^(EX, U). Using Lemma[ 2 l we deduce that 
(h“^(s) nMj^)(min C B) is expressible in LocTLx'(EX, U). Similarly, fl 

M^)(min C A) is expressible in LocTLi;(EX, U) and we deduce that a~^{sT°°) 
is expressible in LocTLi;(EX, U). □ 

Now, we have all we need in hand to prove the main result of this section. 

Proof of Proposition Let L C R be recognized by the morphism h. Since 
R = Z\ U (alphinf C A) U (alphinf C S), we have 

L = (L n Z\) U (L n (alphinf C A)) U (L fl (alphinf C B)). 

From Lemmas [5] and we deduce that L fl Z\ is expressible in LocTLi;(EX, U). 

One can show that the language Lfl (alphinf C A) is a finite union of products 
{Li n (max C B)) ■ {L2 O R^), where Li and L2 are languages recognized by h. 

Since (max C U) C M C Z\, we have Li 0 (max Q B) — (Li 0 Z\) 0 (max C 
B). Now, Li is recognized by h and using Lemmas [H and El we deduce that 
Li nZ\ is expressible in LocTLi;(EX, U). Finally, from Lemma ID we deduce that 
(Li n (max C B)) ■ R^ is expressible in LocTLi;(EX, U). 

Now, L2 is recognized by h. Hence, L2 O R^i is recognized by h (ma 
is therefore an aperiodic language over Ryi. Since we have assumed AP.4 C 
LocTL^(EX, U), L2 ORa is also expressible in LocTLa(EX, U). Using Lemma El 
we deduce that (max C B) ■ {L2 O Ra) is expressible in LocTLj;(EX, U). 

Finally, the product (max Q B) ■ Ra is unambiguous, hence we have 

{Li n (max C B)) ■ {L2 ORa) = (Li O (max C B)) ■ Ra O (max C B) ■ {L2 ORa)- 

We deduce that (Li 0 (max C B)) ■ {L2 O Ra) is expressible in LocTLi;(EX, U). 
Therefore, L 0 (alphinf C A) is expressible in LocTLi;(EX, U). □ 



5 Existential Until 

In this section, we consider the fragment of the local temporal logic using next 
and the existential until only. We prove the following characterization. 

Theorem 3. Let (A, D) be a dependence alphabet. Then we have the equality 
LocTL(x',d)(EX, EU) =FO(j; £))(<) if and only if{E,D) is a cograph. 

We have seen in SectionOthat LocTLi;(EX, EU) is not expressively complete, 
if (S,D) is not a cograph. Conversely, The proofs of Propositions [Hand [21 can 
be carried out with slight modifications using the existential until instead of the 
universal until. Therefore, we get FO(_j; ^D){<) = AP C LocTL(^,^)(EX,EU) if 
(A, D) is a cograph. The difficulty with the existential until is that we do not get 
the converse inclusion for free as with the universal until. Indeed, the semantics 
of existential until is given by a monadic second order formula since it claims the 
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{E,D) 



aht^b'^ 



aht%'^ 




Fig. 1. The dependence alphabet {E, D) and some traces. 



existence of some path in the trace. This MSO formula can be expressed in first 
order, if {E, D) is a cograph. This is certainly not true for arbitrary dependence 
alphabet as shown by the following example. 

Consider the dependence alphabet {S, D) depicted in Figure [2 Let t = 
bdegachf G M and let ip = (a V 6 V c V d) EU G Then, it is easy to ver- 
ify that ahV^W \= EM p if and only if n is even. Now, the trace language t* 
is aperiodic. Therefore, the language aht*b^ is aperiodic as well and we have 
aht*b^ n£(EM p) = ah{t^)*b'^ which is not aperiodic. Since aperiodic languages 
are closed under intersection, we deduce that £(EM p) is not aperiodic. There- 
fore, LocTL( 2 ;,£))(EU) 2 FO(i;^£))(<) for the dependence alphabet of Figure [T] 

The key result for showing that LocTL(i;^£))(EX, EU) C FO(i;_£))(<), if the 
dependence alphabet is a cograph, is to express in FOi;(<) the existence of a 
path satisfying some first order formula. Let (p(z) be a first order formula with 
z as only free variable and let CCS. We define the formula Path^(a;,?/) by 

(Vx < z <y, A(z) G C) and 

(3x = zi < ■ ■ ■ < Zn = y, with p{zk) for all 1 < k < n). 



Lemma 7. If (E, D) is a cograph, then the formula Path^(a:, y) can be expressed 
in first order. 

Proof. If {E, D) is a cograph, then either if is a singleton, or E is the disjoint 
union of two non empty sets E = AU B with either A x B C I or A x B C D. 
We consider these three cases in turn. 

First, assume that E = {a} is a singleton, then 



Path^ (a;, y) = x < y A^x < z < y, (A(z) = a) A p(z). 
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Next, Assume that E = AVJ B with A x B C I. Then, we have 

Path^^j^(a;,i/) = Path'^{x,y) V Pathg(x, y). 

Finally, we consider the more interesting case E = AU B with A iT B = 0 and 
A X B C D. Then, we have 

Path^us(®, y) = Path^(x, y) V Path^(x, y) V {^{x, y) A y)) 

where the formulae y) and 'I'{x, y) are defined below. We give simultaneously 
pictures that should help understanding the formulae. The vertical lines in the 
pictures indicate a separation between factors from Mjj and factors from . 





















y' 



<P{x,y) 



3x < x' < y' < y, 



^ Vx < M < x', (A(m) G a A(cc) G A) ^ 
A Vx' < u, {X{u) G A A(a:) ^ A) 

A (Path^(a;, x') V Path^(x, x')) 

A Vy' < u < y, (X{u) G A X{y) ^ A) 

A Vw < y', (A(u) G A X{y) ^ A) 

\A (Path‘^{y',y) V Pathg(y', y)) J 



and 





x' 


^y" 






X 






\ 


y 






x” 


y' 





/ (A(x') G A A(y') G A) \ 

iF(x, y) =^x < x' < y' < y, I A 3x' < u < y', (A(m) G A A(x') ^ A) 1 

yA Vx' < u < y', {X{u) G A A(x') ^ A) J 

^ (dx' < x" < y" < y', Path^(x", y") V Path^(x", y")) 

□ 



From this lemma, we immediately deduce the desired result. 

Proposition 3. If the dependence alphabet is a cograph, then the existential 
modality EU can he expressed in FOi;(<). 
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Proof. Follows directly from the Lemma |7] since we have 

t,x \= if EU tp iff t,x \= Ip or 3y, Path^(a;, y) and 3z, y < z and t,z \= ip 

The logic TLC introduced in [Tj uses EX, EU, the dual past modalities EY and 
ES and two additional modalities Ecoip claiming that ip holds for some vertex 
that is concurrent with the current one; and EG ip claiming the existence of some 
maximal path starting from the current vertex such that ip holds everywhere 
along this path. EY and Eco are clearly first order modalities, while ES and EG 
are in general only (monadic) second order. But, using the technique of Lemma | 7 ] 
and Proposition O one can show that ES and EG are expressible in first order, if 
the dependence alphabet is a cograph. 

Proposition 4. Let (S,D) be a dependence alphabet which is a coqraph. Then, 
TLC(r,D) CFO(^,o)(<). 



6 Complexity 

In this section, we show that the satisfiability problem for local temporal logics 
is PSPACE-complete. The PSPACE-hardness is a consequence of the PSPACE- 
hardness for words. For TLC the inclusion in PSPACE has been shown in [J. 
In order to prove that our problem is still in PSPACE, we have to deal with 
the universal until-operator which we have introduced here. For this, we asso- 
ciate with each initial formula a an alternating automaton that accepts all the 
linearizations of the traces that model a. Here, we describe the construction for 
the pure future local temporal logic LocTLi;(EX, U). We assume the reader is 
familiar with alternating automata and the usual translation from LTL formulae 
to alternating automata m- 

Let a £ LocTL^(EX, U). Without loss of generality, we assume that the 
negations in a are only over formulae of the form EM or 6 or EX</j or ip ip. 
We construct an alternating automaton Aa as follows. The set of states is QUQ 
where 

(5 = {^ I ^ is a subformula of a of the form EM (p or b or EX or U ip} 

U EM ip) I EM ip is a, subformula of a, H C A 

and A \ D{B) + 0} 

U {(D{a), D{B), EX if) \ EX ip is a subformula of a, a £ A, i? C A, 

{a} U B connected and D{a) \ D{B) yf 0} 

U {{D{A),D{B),ip U ^/>) I U V' is a subformula of a, A, B C A, 

AU B connected and D{A) \ D{B) yf 0} 

and Q = {~^p | p £ Q}. The set of positive boolean combinations of states is 
denoted B+(Q U Q). The initial state is a £ B+((3 U Q). We define the extended 
transition function J : B+(Q U Q) x A — >■ B+(Q U Q) as follows. 

5{fy g, a) = S{f,a)V 6{g,a), for f,g€M+{Q). 

'5(/Ap,a) = S{f,a) AS{g,a), for f,g€M+{Q). 
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,5(EMv3,a) 



V (D{a), EM (p) if D{a) yf S. 



S{{D{B), EM p), a) 



{D{B) UD{a), EM (p) if D{B) L\ D{a) ^ B 
V S(p,a) if a ^ D{B). 



6{b, a) 



T if a = 6, 

_L if a yf 6. 



,5(EX(^,a) = {D{a),iD,EXp). 



S{{D{A),D{B),EXp),a) = 
r {D{A),D{B)UD{a),EXp) 

\ V {D{A),D{B),EXp) 

I V S{p, a) 



if a G D{A) U D{B) and 
D{A)\{D{B)\JD{a))^% 
if a ^ D{A)\JD{B), 
if a G d\a)\D{B). 



6{p U 1 ^, 0 } = a) V {S{p, a) A {D{a), 0, (/? U i/'))- 



6{{D{A),D{B),pU^I;),a) = 

{D{A), d(b) U D{a), pU -ip) if a G D{A) U D{B) and 

D{A)\{D{B)\JD{a))^% 

y {D{A),D{B),p\J^P) ifaiD{A)\JD{B), 

V 5{}p, a) A (B(A) U D(a), D(B), p U ip) if a G D(A) \ D{B), 

V 6{ip, a) if a G D{A) \ d\b). 

a) = 6{p, a), for p € Q; 

where / V g = / A g and / A g = f V g, for f,g G B+(Q); and p = ~>p and 

Ap = p for p G Q. The actual transition function of Aa is the restriction of P to 

(Qug) X r. 

The states in Q represent obligations that the word has to fulfill in order 
to be accepted, hence an infinite branch looping on such a state should not be 
accepted. Therefore, the co-Biichi acceptance condition is given by the set Q. 
Note that the alternating automaton defined above is very weak. Hence, each 
infinite branch in the run of the alternating automaton is ultimately constant 
and the co-Biichi acceptance condition Q is equivalent with the Biichi acceptance 
condition Q. 



Proposition 5. The automaton Aa accepts the word language 



C{Aa) = {ru G I H h a}, 

where [w] denotes the trace associated with the word w G . 

Let N{S,D) = 1+\{{D{A),D{B)) \A,BC B,ALIB connected and D{A)\ 
D{B) yf 0}|. The number of states of the automaton Aa is \Q iJ Q\ < 
2N{E, D)|q;|. Note that when the dependence relation is full, that is, when traces 
are actually words, then N{E, D) = 2 and the size of our automaton does not 
depend on the size of the alphabet. In this case, we essentially get the usual 
construction for LTL formulae over words. 
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In fact, we shall use a slightly better parameter. Decompose {E,D) into its 
connected components such that {S,D) is a disjoint union of connected graphs 
{Si,Di) for 1 < i < k. Let M = maxi<i<fc Using this parameter M 

we can state. 

Theorem 4. Let M be defined as above and let M be bounded by some constant 
which is not part of the input. Then the satisfiability problem for the local logic 
LocTLi;(EX, U) is P SPACE- complete. 

Proof. The PSPACE-hardness follows from the word case. The PSPACE al- 
gorithm reduces the satisfiability problem in a first phase to a conjunction of 
satisfiability problems, one for each connected component of (S,D). Then we 
can check emptiness for the alternating automata according to the construction 
in Proposition 0 Checking emptiness for an alternating automaton can be done 
in PSPACE with respect to the size the automaton. □ 

The construction of an alternating automaton associated with a local tempo- 
ral logic formula can be carried out for the existential until ED and the operator 
EG from TLC. Also, we can extend the construction for the past modalities EY, 
S and ES and for the operator Eco from TLC is we use two-ways alternating 
automata. Since the emptiness problem for two-ways alternating automata is 
also PSPACE-complete jTU|, we get a similar result for the local temporal logic 
using all operators. This extends the result in [l] concerning TLC. 

7 Conclusion 

We have defined a basic and natural local logic for Mazurkiewicz traces which 
is expressively complete with respect to first order if and only if the dependence 
alphabet is a cograph, i.e., all traces are series parallel graphs. The main open 
problem remains to define a (natural) local logic which yields expressive com- 
pleteness for more general (best for all) dependence alphabets, and such that 
the satisfiability problem is in PSPACE or at least elementary. 

There is a proposal by Walukiewicz m for a local logic for traces, but his 
focus is on monadic second order logic and based on a /i-calculus, so it is of 
quite different spirit. 
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Abstract. We investigate the model checking problems for guarded 
first-order and fixed point logics by reducing them to parity games. This 
approach is known to provide good results for the modal /r-calculus and 
is very closely related to automata-based methods. To obtain good re- 
sults also for guarded logics, optimized constructions of games have to 
be provided. 

Further, we study the structure of parity games, isolate ‘easy’ cases that 
admit efficient algorithmic solutions, and determine their relationship to 
specific fragments of guarded fixed point logics. 



1 Introduction 



Guarded logics are fragments of first-order logic, second-order logic, or fixed 
point logics defined by restricting quantification so that, semantically speaking, 
each subformula can simultaneously refer only to elements that are ‘very close 
together’ or ‘guarded’. The main motivation for the investigation of guarded 
logics was to explain the good algorithmic and model-theoretic properties of 
propositional modal logics (in a broad sense, including verification logics like 
GTL and the modal /i-calculus) and to generalize them to a richer setting. The 
goal was to define natural and expressive logics that could be used on relational 
structures of arbitrary vocabulary and still would retain convenient features of 
modal logic, such as the characterization via an appropriate notion of bisimula- 
tion, the applicability of automata-based methods, and the good balance between 
expressiveness and algorithmic manageability (see 1131 ). 

Syntactically, guarded logics are based on a restriction of first-order quan- 
tification to the form 3y{a{x,y) A tjj{x,y)) or \/y{a{x,y) — >■ ilj{x,y)) where 
quantifiers may range over a tuple y of variables, but are ‘guarded’ by a formula 
a that must contain all the free variables of the formula ■i/' that is quantified 
over. The guard formulae are of a simple syntactic form (in the basic version, 
they are just atoms). Depending on the conditions imposed on guard formulae, 
one has logics with different levels of ‘guardedness’. In this paper we consider 
guarded fragments of first-order logic and least fixed point logic with two notions 
of guardedness. 

While model-theoretic properties and satisfiability algorithms for guarded 
logics have already been studied rather extensively (see, e.g., [Il8lllll2ll5j '). the 
model checking problem has not yet received as much attention. In [Oj a guarded 
variant of Datalog, called Datalog LITE, has been introduced which is shown 



R. Nieuwenhuis and A. Voronkov (Eds.): LPAR 2001, LNAI 2250, pp. 70- 1841 2001. 
(c) Springer- Verlag Berlin Heidelberg 2001 




Games and Model Checking for Guarded Logics 



71 



to admit efficient query evaluation (linear time in the query length and the size 
of the database). Datalog LITE is equivalent, via efficient translations, to the 
alternation-free portion of the guarded fixed point logic /iGF so we have effi- 
cient model checking for an interesting part of fj,GF. Guarded logics have also 
been related to the complexity of query evaluation, in particular for conjunctive 
queries (see um)- However, a systematic and comprehensive study of the com- 
plexity of model checking problems for guarded logics has not been done yet. In 
this paper, we attack this problem by developing the game approach to model 
checking for these logics. 

It is well-known that model checking problems for almost any logic can be cast 
as strategy problems for the appropriate evaluation games (also called Hintikka 
games). That is, a sentence ip is true in a structure 21 if and only if Verifier (alias 
Player 0, alias Eloise) has a winning strategy in the associated Hintikka game 
5(21, ■)/'). For first-order logic, evaluation games are well-founded (i.e., all plays 
are finite) and the strategy problem can be solved in linear time in the size of the 
game. For fixed point logics, the appropriate evaluation games are parity games. 
These are infinite games where each position is assigned a natural number, called 
its priority, and the winner of an infinite play is determined according to whether 
the least priority seen infinitely often during the play is even or odd. It is open 
whether winning sets and winning strategies for parity games can be computed in 
polynomial time. The best algorithms known today are polynomial in the size of 
the game, but exponential with respect to the number of priorities. Gompetitive 
model checking algorithms for the modal /i-calculus work by solving the strategy 
problem for the associated parity game (see e.g. |IB])- 

The reason for the good model checking properties of guarded logics is that 
the associated evaluation games remain small. Indeed, guarded quantification 
limits the number of possible moves in the evaluation games and thus leads 
to smaller game graphs. We analyze the translation from guarded formulae to 
evaluation games and determine the complexity of the resulting games in terms 
of structural parameters of formulae and input structures. As a consequence 
guarded fixed point logics admit efficient model checking if and only if parity 
games can be efficiently solved. While we do not know whether this is possible 
in general, we analyze the structure of parity games and isolate ‘easy’ cases 
that admit efficient solutions. With this analysis, we also try to make precise 
some of the game theoretic intuitions that underly algorithmic approaches to 
automata and model checking problems. We link these ‘easy games’ to logic and 
thus obtain efficient model checking algorithms for fragments of guarded fixed 
point logic. 



2 Guarded Logics 

Definition 1. The guarded fragment GF of first-order logic is defined induc- 
tively as the closure of atomic formulae (in a relational vocabulary, with equal- 
ity) under Boolean connectives and the following quantification rule: For every 
formula ip{x,y) G GF and every atom a{x,y) such that {y : y in y}Uiree{ip) C 
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free(a), the formulae 3y{a{x,y) A ip{x,y)) and 'iy{a{x,y) — >• ijj{x,y)) also be- 
long to GF. The semantics is the usual one for first-order logic. 

Here, iree{tjj) means the set of free variables of il). An atom a{x, y) that 
relativizes a quantifier as in the quantification rule for GF is the guard of the 
quantifier. We sometimes use the notation (3y . a)'ijj and (Vy . a)'ip for guarded 
formulae. 

Guarded fixed point logic. The natural fixed point extension of GF is yGF 
and was introduced in [15]. It relates to GF in the same way as the modal y- 
calculus relates to propositional modal logic and as least fixed point logic LFP 
(popular in finite model theory) relates to first-order logic FO. 

Definition 2. yGF extends GF by the following rules for constructing fixed 
point formulae: Let T be a k-aiy relation symbol, a; = xi, . . . ,Xk a fc-tuple of 
distinct variables, and x) a formula that contains only positive occurrences 
of T, no free first-order variables other than x\, . . . ,Xk, and where T is not used 
in guards. Then we can build the formulae 

[LFP Tx . ijj]{x) and [GFP Ta: . '0](a;). 

The semantics of the fixed point formulae is the usual one: Given a structure 
21 providing interpretations for all free second-order variables in ifj-, except T, we 
have 21 |= [LFP Tx . t/jiT, a:)] (a) iff a is contained in the least fixed point of the 
monotone operator mapping each T C to := {a G : 21 ^ a)}, 

and similarly for GFP and greatest fixed points. 

It is clear that yGF generalizes the modal /r-calculus and also the y- 
calculus with inverse modalities. Hence the algorithmic problems for ^GF, even 
for formulae with two variables, are at least as hard as for L^. 

Note that there are two important syntactic restrictions for yGF : Fixed point 
variables may not be used in guards and fixed point formulae may not contain 
parameters, i.e., other free variables than those used for constructing the fixed 
point. These restrictions on yGF are essential. Relaxing either of them would 
make the logic lose its desirable properties (decidability, closure under guarded 
bisimulation, tree model property) . Hence yGF is contained in the parameter- free 
fragment of the least fixed point logic, which behaves somewhat differently than 
full LFP. For instance, while the expression complexity and combined complexity 
of LFP formulae of bounded width (even for width 2) is PsPACE-complete if 
parameters are allowed, the same problems for parameter-free formulae can be 
solved in NP fl co-NP (see msm)- 

Clique guarded logics. In GF and yGF only atomic formulae can be used 
as guards. For some applications this is too restrictive (for instance, temporal 
operators like until cannot be expressed). There exist more general notions of 
guardedness that lead to more expressive guarded logics but preserve most of 
their desirable model-theoretic and algorithmic properties. The most powerful 
and arguably also the most natural of these extensions are the clique guarded 
logics. 
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Definition 3. Let 21 = {A, Ri, . . . , Rm) be a relational structure. A set X C B 
is guarded in 21 if A = {a} or if there is a tuple a £ Ri (for some i < m) 
such that A = {a : a in a}. A set A C A is clique guarded in 21 if for any two 
elements a, a' of A there exists a guarded set containing both a and o'. (To put 
it differently, A induces a clique in the Gaifman graph of 21) . A tuple a S is 
(clique) guarded if a € A^ for some clique guarded set A. 

Note that for each finite vocabulary r and each k G N, there is a positive, 
existential first-order formula clique(xi, . . . ,Xk) such that, for every r-structure 
21 and every fc-tuple a G A^, 21 ^ clique(a) <;=^ a is clique guarded in 21. 

Definition 4. The clique guarded fragment CGF of first-order logic and the 
clique guarded fixed point logic ^GGF are defined in the same way as GF and 
/iGF, but with the clique-formulae as guards. Hence, the quantification rule for 
GGF and /iGGF is the following: If ip{x,y) is a formula of GFG or ^GGF, then 

3y{clique{x, y) A if{x, y)) and 'iy{clique{x, y) — >■ tp{x, y)) 

belong to GGF, provided that free('0) U {y : ?/ in y} C free(clique). 

In practice, one will not want to spell out the clique-formulae explicitly. One 
possibility is not to write them down at all, i.e., to take the usual (unguarded) 
first-order syntax and to change the semantics of quantifiers so that only clique 
guarded tuples are considered. Another common option is to use as guards any 
formula implying a clique formula, i.e., any of the form 7 ( 3 ;, y) := 3zf3{x^ y, z) 
where /3 is a conjunction of atoms such that each pair of variables from free( 7 ) 
occurs together in at least one conjunct of (3. As we want our complexity results 
to be as powerful as possible, we do not take into account the length of clique 
guards at all. See P! for background on clique guarded logics and their relations 
to other notions such as the loosely guarded or packed fragments. 

Normal forms and alternation depth. We will always assume that fixed 
point formulae are in negation normal form, i.e., that negations apply to atoms 
only and that formulae are well-named, i.e., every fixed point variable is bound 
only once and the free second-order variables are distinct from fixed point vari- 
ables. We write D^{T) for the unique subformula in if of form [FP Tx . (p{T, a;)] 
(here and in the following FP means either LFP or GFP) . For technical reasons, 
we finally assume that each fixed point variable T occurs in D^(T) only inside 
the scope of a quantifier. This is a common assumption that does not affect the 
expressive power. 

We say that T depends on T' , if it occurs free in D^{T'). The transitive 
closure of this dependency relation is called the dependency order, denoted by 
Cy,. The alternation level al^(T) ofT mtjj is the maximal number of alternations 
between least and greatest fixed point variables on the Cl^-paths descending 
from T. The alternation depth Adipp) of a fixed point sentence ip is the maximal 
alternation level of its fixed point variables. 
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3 Evaluation Games for Guarded Logics 

Parity games are two-player games of possibly infinite duration. We describe a 
parity game formally by a labelled graph Q = (V,Vo, E, over a finite set of 
positions V with a designated subset Vq, an irreflexive edge relation E repre- 
senting the possible moves, and a labelling function 17 : P — >■ N that assigns to 
each position a priority. The number of different priorities used in the game is 
the index of Q. 

A play of C/ is a path vo,vi, . . . formed by the two players starting from a 
given position vq. If the current position v belongs to Vq, Player 0 chooses a move 
{v,w) G E and the play proceeds from w. Otherwise, her opponent, Player 1, 
chooses the move. When no moves are available at the current position, the player 
who has to choose loses. In case this never occurs the play goes on infinitely and 
the winner is established by looking at the sequence f2{vo), f2{vi), ... If the least 
priority appearing infinitely often in this sequence is even. Player 0 wins the play, 
otherwise Player 1 wins. 

Let Vi := P \ Po be the set of positions where Player 1 moves. A positional 
strategy for Player i in C/ is a function f '■ Vt ^ V which indicates a choice 
(v,f{v)) G E for every position v G Vi. (It is called positional, because it does 
not depend on the history of the play, but only on the current position.) A 
strategy for a player is winning from position vq if the indicated choices allow 
him to win every play starting from vq. We say a strategy is winning on a set W 
if it is winning from each position in IP. The Forgetful Determinacy Theorem 
for parity games [5] states that these games are always determined (i.e. from 
each position one of the players has a winning strategy) and in fact, positional 
strategies always suffice. 

Theorem 1 (Forgetful Determinacy). In any parity game the set of posi- 
tions can be partitioned into two sets Wq and Wi such that Player 0 has a po- 
sitional winning strategy on Wq and Player 1 has a positional winning strategy 
on W\. 

We call Wo and W\ the winning sets of Player 0 and, respectively. Player 1 
and the pair (Wq, Wi) the winning partition or solution of Q. Since positional 
strategies are small objects and since it can be efficiently checked whether a 
strategy is winning, it can be decided in NP n co-NP whether a given position in 
a parity games is a winning position for Player 0. In fact, it is known m that the 
problem is in UPflco-UP. The best known deterministic algorithms to compute 
winning partitions of parity games have running times that are polynomial with 
respect to the size of the game graph, but exponential with respect to the index 
of the game m- 

Theorem 2. The winning partition of a parity game Q = (V, Vq, E, 12) of index 
d can be computed in space 0{d ■ jifl) and time 




Games and Model Checking for Guarded Logics 



75 



Game semantics for fixed point formulae. Consider a finite structure 2t 
and a guarded fixed point sentence ip which we assume to be well-named and in 
negation normal form. 

The model checking game G{A, 'ip) is a parity game whose positions are pairs 
{ip,p) such that is a subformula of tp, and p is an assignment from the free 
first-order variables of (p to elements of 2t. The initial position is the pair {ip, 0). 

Verifier (Player 0) moves at positions associated to disjunctions and to for- 
mulae starting with an existential quantifier. From a position {(p V i?, p) she 
moves to either {p,p) or {'d,p). From a position {{3y . a)p, p) Verifier can move 
to any position {p,p') such that p' is the restriction to free((^) of an assignment 

: free(a) — >■ A with p'^ A p and 21 \= a[p'^\. In addition, Verifier is supposed 
to move at atomic false positions, i.e., at positions {p,p) such that p \s & lit- 
eral X = y, X y, Rx, or -'Rx (where R is not a fixed point variable) and 
21 1= -^p[p\. However, positions associated with literals do have no successors, so 
Verifier loses at atomic false positions. 

Dually, Falsifier (Player 1) moves at conjunctions and universal quantifica- 
tions, and loses at atomic true positions. In addition there are positions associ- 
ated with fixed point formulae and with fixed points atoms. At these positions 
there is a unique move (by Falsifier, say) to the formula defining the fixed point. 
For a more formal definition, recall that as ip is well-named there is for any fixed 
point variable T in ip a, unique subformula [FP T x . p{T , x)]{x) . From position 
([FP Tx . p{T , x)]{x) , p) Falsifier moves to the pair {p,p), and from {Ty,p) he 
moves to the position (p{T,x), p') with p'{x) — p{y). 

In the simple case where we do not have fixed points (i.e., we deal with 
formulae from GF or CGF), the game is just the guarded version of the usual 
Hintikka game for first-order logic. In particular, it is well-founded, and it should 
be obvious that Verifier has a winning strategy for Q{%,ip) iS'Ql\= ip. Next, we 
consider the case of a formula with just one least fixed point. From a position 
([LFP Tx . p{T,x)]{x), p) the Verifier tries to establish that p(x) enters T at 
stage a of the fixed point induction defined by p. The game goes to {p, p) and 
from there, as is a guarded first-order formula. Verifier can either win the p- 
game in a finite number of steps, or she can force it to a position {Ty,p') where 
p'{y) enters the fixed point at some stage (3 < a. The game then resumes at 
a position associated with p. As any descending sequence of ordinals is finite. 
Verifier will win the game in a finite number of steps. If the formula is not true, 
then Falsifier can either win in a finite number of steps or force the play to go 
through infinitely many positions of form Ty. Hence, these positions should be 
assigned priority 1 (and all other positions higher priorities) so that such a play 
will be won by Falsifier. For GFP-formulae the situation is reversed. Verifier 
wants to force an infinite play, going infinitely often through positions Ty, so 
GFP-atoms are assigned priority 0. 

In the general case, we have a formula ip with nested least and greatest 
fixed points and on an infinite play of Q{^,ip) one may see different fixed point 
variables infinitely often. But then one of these variables is the smallest with 
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respect to the dependency order It can be shown that 'Qi\= ip iS this smallest 
variable is a GFP-variable (provided players play optimally). 

Hence, the priority labelling should assign even priorities to GFP-atoms and 
odd priorities to LFP-atoms. Further, if Tn^T' and T,T' are fixed point vari- 
ables of different kind, then T-atoms should get lower priority than T'-atoms. 

As the index of a parity game is the main source of difficulty in comput- 
ing winning sets, the number of different priorities should be kept as small as 
possible. We avoid the factor 2 appearing in common constructions of this kind 
by adjusting the definition of alternation level and alternation depth, setting 
al^(T) := al^{T) -I- 1 if al,/,(T) is even (odd) and T is an LFP (GFP) variable. 
In the other cases, al^(T) = al,/,(T). Finally let a,d* (ip) be the maximal value of 
ad^(T) for the fixed point variables in ip. 

Definition 5. The priority labelling 12 on positions of Q{^,ip) is defined by 



n{ip,p) 



al))(T) if if = Tx and T is a fixed point variable 
ad’pp otherwise. 



This completes the definition of the game Q{A,ip). Note that the priority 
labelling satisfies the properties explained above, and that the index of Q{A,ip) 
is at most a,d{ip) + 1. 

The proof that the game is correct is similar to the proofs for model checking 
games for the /i-calculus (see e.g. jl6l21j l. For details taking into account the 
optimizations made here, see |2]. 



Proposition 1. Let ip he a guarded fixed point sentence from pGF or fiCGF , 
and let ^ be a relational structure, \= ip if and only if Player 0 has a winning 
strategy for the parity game G{A,ip). 



4 The Complexity of Model Checking 

The reduction scheme in the previous section provides a model checking tech- 
nique for guarded fixed point logics: Given (2t, ip), construct the corresponding 
game 5(21, ip) and check whether Player 0 has a winning strategy. The complex- 
ity of this algorithm is determined by the complexity of the reduction and the 
complexity of solving the resulting parity game. In this section we discuss the 
construction of the game G{A,ip) for different kinds of guarded formulae and 
determine the size of the game. The general algorithmic results on parity games, 
yield complexity results for our model checking problems. In the last section, we 
will then look more closely at the structure of games. 

We can measure the complexity in terms of different parameters of the 
given formula and the given finite structure. Relevant notions, besides formula 
length, are the closure cl{ip) of ip, which is just the set of its subformulae, and 
the width, which is the maximal number of free variables in subformulae, i.e. 
width('0) := max{ I free (</?)! : ip G cl(V’)}. The size of a finite relational structure 
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21 = {A, Ri , . . . , Rm) is defined as ||2l|| = |A| + where Vi is the arity 

of Ri (i.e., the number of structure elements plus the sum of the length of all 
tuples in its relations). 

Model checking GF and /rGF. It is obvious that GF generalizes propositional 
modal logic ML. The model checking problem for ML is PxiME-complete m 
and can be solved in time 0(||2l|| • |'0|). Both results extend to GF. 

Proposition 2. Given a sentence ip € /rGF and a finite structure 21, the asso- 
ciated parity game Q{%,if) can be constructed in time 0(||2l|| • \ip\). 

Proof. In the construction of the parity game 0{Qi,ip) = {V,Vo,E, G) we can 
restrict V to the positions (</?, p) that are reachable from the initial position 
{ip, 0). The construction of the game is straightforward, we just have to estimate 
its size. It suffices to prove that \E\ = 0(||2l|| • |^|). 

Let H{ip) be the syntax tree of ip, with back edges from fixed point atoms 
Tx to the defining formula <p{T, x). Obviously, H{ip) has less than \ip\ nodes and 
edges. 

We claim that for every edge g} ^ oi H{ip) there exist at most ||2l|| edges 
of form {^p,p) — >■ {g}' ,p') in the game graph Q{%,ip). We consider several cases. 

First, let ip = {Qx . a)ip' . In that case an edge {<p, p) — >■ {<p, p') can exist only if 
there exists an assignment such that 21 |= a\p'^] and p, p' are the restrictions of 
p^ to the free variables of and pf , respectively. As guards are atomic formulae 
the number of assignments satisfying a guard is bounded by ||2l||. 

In all other cases, i.e. if ip is not a quantified formula, then for any fixed ip 
and p there are at most two edges (y>, p) — ?> {ip',p'). Hence it suffices to show 
that for each such ip S H{ip) there exist at most ||2t|| reachable positions (<p,p) 
in the game graph. Recall that fixed point variables occur inside their defining 
formulae only under the scope of a quantifier. If ip is not inside a quantifier, 
only the position {ip, 0) is reachable. Otherwise there is a uniquely determined 
least subformula of ip that strictly contains ip and has the form {Qy . a)z?. Then 
a position {ip, p) is reachable if and only if (d, p) is reachable. Note that d and 
a are uniquely determined by ip, and the position {'d, p) is reachable only if 
21 1= alp'^] where p~^ A p. By the same argument as above it follows that the 
number of reachable positions {ip, p) is bound by ||2l||. This completes the proof. 

According to Theorem [2l we obtain the following complexity bounds for 
model checking pGF via the associated parity game. 



Theorem 3. Given a structure 2t and a pGF -sentence ip of alternation depth d 
the model checking problem \= ip can be solved in space 0{d- ||2l|| • |'0|) and time 



O 




nail ■ \ip\ 

L(d+1)/2J 



L(d+3)/2j 



It is instructive to compare these results to the case of unguarded formulae. 
Note that even though there is no explicit restriction on the width (or equiva- 
lently, the number of first-order variables) in GF or pGF, the width is implicitly 
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bounded by the arity of the relation symbols. (On graphs, for instance, GF and 
^GF are really two- variable logics). For a meaningful comparison of the size of 
evaluation games and the model checking complexity for GF / /iGF with FO/LFP 
(or with clique guarded logics, see below) one should bound the width of these 
formulae. 

On a coarse level, if one just considers membership and completeness in 
major complexity classes, then modal logic ML, bounded-variable first-order 
logics, and GF are on the same level, with model checking problems that are 
PTiME-complete. For fixed-point logics, a similar picture emerges: L^, bounded- 
width parameter-free LFP, and fiGF have model checking problems that are in 
UP n CO-UP and hard for Ptime. 

However, a more detailed analysis reveals differences that are quite relevant 
for practical algorithms. Even for bounded-variable fragments FO^ of first-order 
logic the size of the corresponding model checking game is 0(|H|^|^|), as in 
general, all possible assignments p : {x\, . . . ,Xk\ — t A need to be taken into 
account. Hence, the model checking games (and the complexity) of bounded- 
variable logics are often quite substantially larger than for guarded logics. We 
will see that the complexity of clique guarded logic is between these two. 

Model checking GGF and /iGGF. By the definition of clique guardedness, 
for a tuple x of variables appearing free in a subformula of ijj, the value of any 
assignment p{x) induces a clique in the Gaifman graph of 2t. The number and 
size of cliques in this graph can be bound by parameters derived from its tree 
decompositions . 

Definition 6. A tree deeomposition of width I of some structure S is a tree 
labelled with subsets of at most I + 1 elements of B, called bloeks, such that (1) 
every strictly guarded set in B is included in some block and (2) for any element 
a G B the set of blocks which contain b is connected. The tree width of B is the 
minimal width of a tree decomposition of B. 

Lemma 1. Given a structure 2t of tree width I, the number of clique guarded 
assignments in 21 for a tuple of k variables is bounded by Cf,(2l) := {I + 1)^ • |2l|. 

Proof. Let T be a tree decomposition of width I of the structure 21 and thus 
also of its Gaifman graph. A simple graph theoretic argument P! shows that 
cliques are not disbanded by tree decompositions, that is, every clique of the 
Gaifman graph is contained in some decomposition block. Gonsequently, every 
clique guarded set in 21, in particular p{x), is contained in some block of T. 
Since we can assume without loss that |T| < |A|, the number of clique guarded 
fc-tuples in 21, and with it the number of clique guarded assignments, is bounded 
by (/ + 1)'=-|A|. 

By a similar analysis as in the case of /iGF we obtain the following estimates. 

Proposition 3. Given a /iGGF -sentence if of width k and a finite structure 21 
of tree width I, the associated parity game Q(f2i,'ip) can be constructed in time 
0(cfc(21)-|cl(i/>)|). 
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Theorem 4. For a structure 2t and a ^lCGF sentence ■i/' of width k and alterna- 
tion depth d the model checking problem can be solved in space 0(d-Cfe (21) •|cl(V')|) 
and time 



O 




V L(rf+1)/2J J 



For unguarded sentences, corresponding complexity expressions are obtained 
by replacing Cfc(2l) with the number of possible assignments in that case, |2l|^. If 
the tree width Z of 21 is small compared to |2l| this value is be much higher than 
Cfe(2t) = (Z + 1)* • |2l|. Especially, for a fixed clique guarded sentence if, the size 
of the game Q (21, ijj) for structures 21 of bounded tree width grows linearly with 
the size of 2t, while it grows polynomially with degree k when if is unguarded. 

However, in the case of unbounded width the model checking problem for 
CGF and /rCGF ar as hard as for FO and LFP. To prove this, one takes input 
structures with a complete binary guard relation, so that all tuples in the struc- 
ture become clique guarded. Similar observations apply to expression complexity 
and to other guarded logics (like loosely guarded or packed fragments). 



Proposition 4. The model checking problems for CGF and fiCGF of unbounded 
width are P SPACE- complete and FxPTiME-complete, respectively. 



5 Easy Games and Tractable Fixed Point Formulae 

In the previous section we established complexity results for model checking 
problems based on complexity bounds for the associated parity games as given 
by Theorem 0 These complexity bounds take into account worst-case scenarios 
as, for example, that the underlying game graph is strongly connected and that 
each player can force the play to reach almost any priority. However, for model 
checking games resulting from specific classes of formulae or structures such 
assumptions may be overly pessimistic and better heuristics apply. By looking 
more closely at the structure of parity games, we can isolate easy cases of games 
and obtain classes of formulae for which the associated parity games can be 
solved efficiently, in subquadratic time with regard to their size. 

De-tangling the game. An obvious approach to complex problems is by 
decomposition into independent simpler subproblems. In the context of games 
subproblems correspond to subgames. A subgame of a parity game C/ is a game 
Q fj/ obtained by restricting Q to the positions of some subset U C V. The 
subgame induced by the set of all positions reachable from a node u in ^ is 
called rooted at v and denoted by ^(. 1 ,. We say a subgame H of G is stable, if the 
winning set of each player in 'H is a subset of its winning set in Q- 

Glearly, in any game the rooted subgames are stable. Given a parity game 
G, let "H be a rooted subgame. Note that there may be different positions v, 
w such that TL = («= G\w In that case we say that v and w are entangled. 

The entanglement relation is an equivalence on game positions. Let us call its 
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classes the tangles of G- In particular, we call the class of v with G \v= 'H the 
root tangle of T-L. Via their root tangle the rooted subgames of G are in one-to- 
one correspondence to the tangles of G- We call a tangle that induces a rooted 
subgame in C/ a leaf tangle. Observe that the tangles of a game are precisely 
the strongly connected components of the underlying graph. Over these the 
reachability relation in G induces a partial ordering with the root tangle of G as 
the greatest element and the leaf tangles as least elements. 

Towards a divide-and-conquer approach, we are interested in subproblems 
which are independent, so that the global solution can easily be recomposed 
from the partial solutions. Suppose that, in order to solve G , some rooted strict 
subgame G\u was already solved. At this point it would not help to solve the 
subgame induced by the unresolved positions which is it not necessarily 

stable. Instead, we can first propagate the solutions found for U into V \ C7 by 
including in the winning set Wq of Player 0 every position from Vq with some 
successor already in Wq and those positions from Vi with all successors already 
in Wo; for Player 1 we can proceed dually. Let P be the set of positions assigned 
to winning sets by iterating the above process. Then the subgame G tv\([/uP) 
induced by the unresolved positions is stable. 

This suggests a heuristics for solving a parity game that starts by solving the 
leaf tangles and then, after propagating their solutions, applies recursively to 
the subgame induced by the unresolved positions. In a concrete implementation, 
this heuristics relies on three algorithms. 

(1) A deeomposition proeedure which computes and updates the strongly con- 
nected components of the game graph to provide a list of its leaf tangles. 

(2) A tangle-solver for solving the games induced by the leaf tangles. 

(3) A propagator that evaluates the obtained partial solutions and passes a 
new stable subgame to the next recursion step. 

For an efficient implementation, the game graph can initially be decomposed 
into its strongly connected components by using Tarjan’s algorithm which works 
in time linear in the number of edges. Subsequently, this decomposition can be 
updated dynamically by removing a component after each call of the tangle- 
solver and refining the decomposition order for every batch of positions removed 
from the original game by the propagator. By adapting an algorithm from [3j the 
time for this operation can be linearly bounded by the number of removed edges, 
so the global algorithm will not spend more than linear time in the decomposition 
procedure. Also the propagator can be written such that it visits every edge of the 
game graph at most once. Thus, the above heuristics leads to an algorithm which 
spends only linear time in the decomposition and the propagation procedures. 

Proposition 5. The winning partition of a parity game ean be eomputed effi- 
ciently if an efficient tangle-solver is available. 

Well-founded games. A tangle is trivial, if it consists of a single position. 
If all tangles in a game are trivial, the game graph is acyclic and the solution 
of the leaf tangles propagate all the way up to the root. Such games are called 
well-founded, and it is folklore that they can be solved efficiently. 
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Proposition 6. Any well-founded game can be solved in linear time. 

For instance, given a well-founded game Q — (V, Vq, E) we can write in time 
0{\E\) a propositional Horn formula 'ifg consisting of the clauses u f— u for all 
edges (w, v) G E with u G Vq, and the clauses it ^ A • • • A Um for all nodes 
u G V — Vq where uE = {v\, . . . ,Vm}- The minimal model of ifg is precisely 
the winning set Wq. In fact for well-founded games, the above heuristics yields 
a linear time decision procedure which coincides with the known linear time 
algorithm for solving propositional Horn formulae. 

Corollary 1. For a structure 21 and a CGF -sentence ip of width k, the model 
checking problem can be solved in time 0(cfc(2l) • |cl(i/>)|). If ip G GF the problem 
can be solved in time 0(||2t|| • \ip\). 

Dull versus lively games. Given a game, an i-loop is a simple cycle in the 
game graph with the least occurring priority i. Let the range of a tangle T be 
the set of priorities i for which T contains an i-loop. We say a tangle is dull if 
all priorities in its range are of the same parity. A game is dull if all its tangles 
are so, otherwise it is called lively. Note that whenever a tangle is not trivial, 
then its range contains the least priority occurring in it. Thus, any nontrivial 
tangle T which is dull in a game Q can be decided by checking whether the least 
occurring priority is even. If this is the case. Player 0 wins from each position 
in Q fT, otherwise he loses. Using this tangle-solver with our heuristics we can 
solve dull games in linear time. 

Theorem 5. Any dull game G = {V, Vq, E, 12) can be solved in time OdUj-l-lifl) . 

The problem of establishing the winner of a parity game is algorithmically 
equivalent to the emptiness problem for nondeterministic parity automata over 
trees. In Kupferman, Vardi, and Wolper show that the latter problem re- 
duces to the I-letter emptiness problem of alternating automata over words. In 
this framework, dull games correspond to so-called weak automata. Kupferman, 
Vardi, and Wolper show that the 1-letter emptiness problem for weak alter- 
nating word automata can be solved in linear time, thus proving that model 
checking for alternation-free L^-formulae can be performed in linear time. Here, 
we will generalize this result to alternation-free guarded formulae, i.e., formulae 
of alternation depth 1. Towards this, let us establish a connection between the 
alternation depth of a formula and the range of the tangles in the associated 
game. Let T be a tangle in a model checking game t/(2l, ip). We say that a fixed 
point variable X is alive in T if the tangle contains some position (Xx,(3). 

Lemma 2. In any nontrivial tangle ofOif^l^ip) the set of alive fixed point vari- 
ables has a unique minimal element w.r.t. C,/,. 

Proof. Gonsider a play tt cycling in T from some position v = {Xx,f3) back to 
itself. By a straightforward induction, we can verify that for each fixed point 
variable Y seen along tt, D.^{Y) is a subformula of D.^{X) and X appears free 
in D.^{Y). Hence, X Y for all fixed point variables Y on tt. As T is strongly 
connected, for any variable Y G T there is a play cycling through X and Y . 
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Observe that in a model checking game the range of a tangle T consists of the 
priorities of all alive fixed point variables. Thus, if all these variables depend on 
some fixed point variable X, the range of T is included in {Q{Y) : X Y}. By 
definition, in an alternation-free formula tp there are no dependencies between 
variables of different kind. Accordingly, the priorities associated to any two alive 
variables are of the same parity. It follows that there are no alternating priorities 
in the range of any tangle of a model checking game 

Proposition 7. Alternation-free fixed point formulae lead to dull games. 

Corollary 2. For a structure 21 and an alternation-free ptCGF -sentence ip of 
width k, model checking can he performed in time O(cfc(2t)-|cl('0)|). In particular, 
if Ip € pGF the problem can be solved in time 0(||2t|| • \ip\). 

The result for alternation- free pGF has been proved by a different method in [S] . 

Solitaire games. For arbitrary games, the number of alternating priorities 
in the range of a tangle or, more generally, its index, is not bounded. To our 
present knowledge, this index appears as a significant source of complexity in all 
decision procedures for parity games. Typically, the worst-case running time of 
such a procedure grows exponentially with (a constant fraction of) the index. One 
reason for this difficulty may be that even if a player has a winning strategy in a 
game, he cannot tell in which priority the play will finally be trapped. In general, 
the opponent may be able to choose at any point between different, though 
hostile, loops and thus continually trade against the first player’s strategy. The 
costs of a search for a trap where all this trading is ineffective can be quite high 
in terms of complexity. 

In the case of dull games considered above, this difficulty is circumvented 
by restricting the trading range as much as possible. Thus, each player knows 
that the only way to win is by attracting its opponent into a loop of the right 
priority in which the game can be kept infinitely. Another approach to avoid the 
difficulties caused by trading priorities consists in allowing only one player to 
move in the cyclic parts of the game. 

Definition 7. A game is solitaire if all nontrivial moves are performed by the 
same player. A game is nested solitaire if all its tangles are solitaire games. 

Notice that a positional strategy can be presented as a solitaire game. In the 
automat a-theoretic view a solitaire game corresponds to a deterministic par- 
ity tree automaton whose emptiness problem is linear time reducible to the 
nonemptiness problem of a one-letter nondeterministic parity word automaton. 
This problem was known to be solvable in time 0((n -|- m)d) for an automa- 
ton with n states, m transitions and d even priorities. Recently, King, Kupfer- 
man, and Vardi 1191 presented an algorithm which solves this problem in time 
0{{n-\-m) logd). Via the aforementioned equivalence their result applies to soli- 
taire games also. 

Proposition 8. The winner of a solitaire game Q = {V,Vq,E,Q) of index d 
can be established in time 0(logd- (|V| -I- |A|)). 
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However, for deciding the winner of a nested solitaire game, our heuristics 
relies on the computation of the entire winning partition of leaf tangles. It is not 
clear whether the algorithm of King, Kupferman, and Vardi can be extended 
to a fast solver for games that consist of solitaire tangles but are not solitaire 
themselves. To solve the leaf tangles of such games we will therefore use another 
approach. 

Let TLhe a, solitaire game on a tangle with all positions belonging to Player 0. 
She wins from a position if she can reach an even loop. Let the even priorities in 
the range of 'H be {ii, . . . , id}- To determine the winning partition of "H we can 
proceed as follows. 

Decompose H into d copies 'Hi, ... , Hd where Hj is the subgame of H induced 
by the positions of priority at least ij . Transform Hj into a dull game by assigning 
to all positions of priority greater than ij some higher, odd priority. Now solve 
every Hj as a dull game. Note that, if the copy of a position v in 'Hj is winning 
for Player 0, then v is also winning in H. Thus, the union of winning sets in the 
copies Hj yields, by propagation, the winning set of Player 0 in H. 

This procedure reduces the solution of a solitaire tangle game to the solu- 
tion of d dull games. By embedding the algorithm into our decomposition and 
propagation scheme we obtain a solver for nested solitaire games. 

Theorem 6. A nested solitaire parity game Q = (P, J7) of index d can be 

solved in time 0( d ■ (|P| -I- |H|) ) . 

Solitaire formulae. Given that nested solitaire games can be treated efficiently, 
the question arises whether these games correspond to a natural fragment of 
fixed point logic. Note that in a model checking game. Player 0 makes choices 
at positions corresponding to disjunctions or existential quantifications, whereas 
Player 1 makes nontrivial choices at conjunctions and universal quantifications. 
To make sure that all tangles in a game are (nested) solitaire we thus have to 
restrict the use of one of these pairs of operators. The radical approach would be 
to remove A and V (or, equivalently, V and 3). We thus would obtain a fragment 
whose model checking games are solitaire which, however, is not very expressive. 
A more liberal approach is to restrict the syntax as follows. 

Definition 8. The solitaire fragment of /iCGF consist of those formulae where 
negation and universal quantification apply to closed formulae only and conjunc- 
tions to pairs of formulae of which at least one is closed. 

Recall that a fixed point formula is closed if it contains no free fixed point 
variables. By Lemma |21 positions with closed subformulae are not entangled with 
any other positions. Gonsequently, the model checking games of solitaire /iGGF- 
formulae are nested solitaire games. We remark that the solitaire fragment of 
the modal /r-calculus has already been studied under the name L 2 in [B]. 

Proposition 9. The model checking problem for a structure 21 and a solitaire 
fiCGF -sentence ip of width k and alternation depth d, can be solved in time 
0{d- Cfc(2l) • |cl('!/')|). In particular, for ip G ^GF the problem can be solved in 
time O {d ■ ||2t|| • \ip\). 
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Abstract. This paper describes a number of hyperresolution-based de- 
cision procedures for a subfragment of the guarded fragment. We first 
present a polynomial space decision procedure of optimal worst-case 
space and time complexity for the fragment under consideration. We then 
consider minimal model generation procedures which construct all and 
only minimal Herbrand models for guarded formulae. These procedures 
are based on hyperresolution, (complement) splitting and either model 
constraint propagation or local minimality tests. All the procedures have 
concrete application domains and are relevant for multi-modal and de- 
scription logics that can be embedded into the considered fragment. 



1 Introduction 

The guarded fragment (GF) is a generalisation of the modal fragment of first- 
order logic. The fragment was introduced in an attempt to explain the good 
model-theoretic and proof-theoretic properties of modal logics, including the 
decidability of the satisfiability problem [T]. A variety of decision procedures 
for the fragment and its extensions have been developed, which utilise different 
techniques such as ordered resolution, model-theoretic constructions, alternat- 
ing automata or embedding into second-order logic I7I9I12I13I . However, the 
devised decision procedures have some drawbacks. In particular, they exhibit at 
least double exponential worst-case time and space complexity [7TI2] which is 
in contrast to the low complexity of the satisfiability problem of basic modal 
logic. Moreover, extensions of the guarded fragment with transitivity or number 
restrictions lead to undecidability m, even though modal logics extended with 
transitivity or number restrictions are decidable. This shows that the guarded 
fragment as a whole is too general and expressive and cannot thoroughly ex- 
plain the good computational properties of modal logics and related description 
logics. A natural question arises whether there are more restricted, but yet ex- 
pressive fragments which provide more suitable logics and for which there are 

* The authors thank Peter Baumgartner for drawing our attention to Niemela’s work 
and raising the question of the computational complexity of minimal model gene- 
ration. The work of the first and third authors is supported by EPSRC Research 
Grant GR/M36700. 
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algorithms with better worst-case complexity and that possibly employ inference 
techniques similar to those prominently used for modal and description logics. 
Such a subfragment, called GF1“, is identified by Lutz, Sattler and Tobies [T8| . 
who describe a tableaux procedure which decides GF1“ and prove that under 
certain assumptions the satisfiability problem of GF1“ is PSPAGE-complete. 

Our investigations are situated in the framework of resolution which is well- 
studied and well-mechanised. In previous work El we describe a hyperresolu- 
tion decision procedure for GF1“ and certain generalisations of GF1“, which 
also include formulae outside the guarded and loosely guarded fragment. This 
procedure polynomially simulates the tableaux procedure for GF1“ of [18] and 
forms a generalisation of the selection-based resolution procedure which polyno- 
mially simulates tableaux procedures for modal logics and description logics [8] 
ng. However, in the worst case the procedure has double exponential space com- 
plexity. 

The first part of this paper describes a resolution decision procedure for 
GF1“ with optimal space complexity (Section |3|). This procedure is based on 
the hyperresolution decision procedure of El and uses the so-called trace tech- 
nique m which is utilised in PSPAGE tableaux procedures for description (and 
modal) logics. The presentation of the algorithm is sufficiently detailed and pre- 
serves the essential structure of the main inference loop found in state-of-the-art 
theorem provers such as Gandalf, OTTER, SPASS and Vampire, and is thus 
easily implementable. 

The second part of the paper considers the problem of generating minimal 
Herbrand models for GF1“ (Section S}. The generation of minimal (Herbrand) 
models has been shown to be useful in a number of applications m and we 
believe that modal logics and generalisations like GF1“ could provide expressive 
languages for the specification of related applications in the area of multi-agent 
systems P!- 

There are various approaches to generating minimal Herbrand models with 
hyperresolution 1516114120] which, with the exception of |S], have been applied 
only to propositional clause sets. We focus on two of these approaches. The first 
is based on an extension of our resolution-based decision procedure for GFl" -m 
by a model constraint propagation rule which ensures that only minimal models 
are generated. This generalises the approach and results of Bry and Yahya [H]. 
The second approach avoids the need for model constraints by using a variant 
of a local minimality test proposed by Niemela m- Unfortunately, Niemela’s 
approach requires that the complement of a Herbrand model is finite, which is 
not the case for GF1“. We show how this problem can be solved, and discuss 
and compare the space and time complexity of procedures based on these two 
approaches to minimal model generation for GF1“. 

Both minimal Herbrand model generation approaches are applicable to the 
clausal class VW Hg and to all modal and description logics that can be embed- 
ded into GF1“, the description logic AUC, and the modal logic AT(^)(n, U, ^), 
which is defined over families of binary relations closed under intersection, union 
and converse jS]. 
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2 Preliminaries 



The notational convention is as follows. We denote first-order variables by x, y, 
z, terms by s, t, u, constants by a, b, functions by /, g, h, predicate symbols by 
P, Q, G, atoms by A, Ai, A 2 , literals by L, clauses by C, formulae by (j), ip, d, 
and sets of clauses by N. An over-line indicates a sequence. If s = (si, . . . , Sn) 
then /(s) denotes a sequence of terms of the form /^(si, . . . , s„). 

Let each predicate symbol G be associated with a unique grouping (i,j) 
where i, j > 0. Then: (i) If ip is an atomic formula, p is in GF1“. (ii) If p is in 
GFI" and G has grouping then 3y{G{x,y) A p{y)), ^y(G{x,y) p{y)), 

3x {G{x,y) A p(x)), and 'ix{G{x,y) — >■ p{x)) are GFI“ formulae provided x is 
an sequence of variables of length i, y is a, sequence of variables of length j, and 
X r\y = Repetitions and permutations of variables are allowed. The atoms 
G{x,y) are called guards, (iii) T and T are in GF1“. And, (iv) GF1“ is closed 
under Boolean connectives. If s and t are arbitrary sequences of terms of length 
i and j, then G{s,t) represents both G{s,t) and G{t,s). 

The procedures described in this paper are based on the resolution decision 
procedure for GF1“ presented in m- It proceeds as follows. First a given GFl 
formula is transformed (by a polynomial time algorithm) into a set of clauses, 
which have the following forms. 



Qip{a) 

-'Qcpix) V ~'P(x) 

~^Q^(x) V ~^G(x,y) V (5^.(1/) 
-^Q^{x) V G{x ,f{x) ) 
-^Qipix) V Q^if{x)) 

V Qc/,{y) 

-'Qifiiz) V Q.^{x) V Q4,(y) 



ii p = -•P{x) 

iip = yy{G(x,y) ip{y)) 
iip = 3y{G{x,y) Aip{y)) 

ii p = ip(x) A 4>{y), z = xUy 
ii p = ip(x) V (p{y), z = xUy 



Here, f(x) is a sequence of (distinct) Skolem terms introduced for the sequence 
of existentially quantified variable y in 3y {G(x,y) A ip{y)). 

Second, a hyperresolution calculus is used to determine satisfiability of the 
clause set. The calculus, denoted by uses the following expansion rules: 



N 



where C is a resolvent or a factor. 



Splitting: 



U {Gi V G 2 } 



A^U{Ci} I A^U{C2} 

where G\ and C 2 are variable disjoint. 

The resolution and factoring inference rules are: 



Cl V Ai 



C„ V Ar. 



in+1 



V 



V ~'A2n V D 



Hyperresolution: (Ci V . . . V C„ V i?)a 

where (i) a is the most general unifier such that A^a = A^+iO for every i, 
1 < i < n, and (ii) Gi V Ai and D are positive clauses, for every i, 1 < i < n. 
The right most premise in the rule is referred to as the negative premise and all 
other premises are referred to as positive premises. 
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(cv/iiV 

where a is the most general unifier of and A 2 



A derivation in from a set of clauses fV is a finitely branching, ordered 
tree T with root N and nodes are sets of clauses. The tree is constructed by 
applications of the expansion rules to the leaves. We assume that no hyper- 
resolution or factoring inference is computed twice on the same branch of the 
derivation. Any path N{= Nq), ... in a derivation T is called a closed branch 
in T iff the clause set IJ^ Nj contains the empty clause, otherwise it is called an 
open branch. We call a branch B in a derivation tree complete (with respect to 
Rhyp) jff jjQ successor nodes can be added to the endpoint of B by R^^'p, 
otherwise it is called an incomplete branch. A derivation is complete iff all of its 
branches are either closed or complete. A derivation T is a refutation iff every 
path N{= Nq), Ni, . . . in it is a closed branch, otherwise it is called an open 
derivation. A branch selection function is a function, mapping an open deriva- 
tion tree to one of its open branches. A derivation T from N is called fair if for 
any path N{= Nq),Ni, ... in T, with limit = Uj f]k>j it is the case 
that each clause C that can be deduced from non-redundant premises in fVoo is 
contained in some Nj. Note that for a finite path N{= Nq), N\, . . . Nn, the limit 
fVoo is equal to N^. 



Theorem 1 (|3j). Let T be a fair derivation from a set N of clauses. Then: 
(i) If N{= Nq),Ni, ... is a path with limit Noo, Naa is saturated up to redun- 
dancy. (ii) N is satisfiable if and only if there exists a path in T with limit Noo 
such that N^o is satisfiable. (Hi) N is unsatisfiable if and only if for every path 
N{= Nq), Ni, . . . the clause set (J^- Nj contains the empty clause. 

We restrict our attention to derivations generated by strategies such that the 
positive premises of any hyperresolution step are positive ground unit clauses. 
For GF1“ this can be achieved by performing suitable splitting and factoring 
inferences before hyperresolution inferences. Since we are able to prove termi- 
nation of any such derivation for the clausal set rendered by formulae in GF1“, 
any such strategy is fair. 

Theorem 2 ( [lllj h Let If be a GFl formula and let N be the corresponding 
clause set. Then: (i) Any R^^p derivation from N terminates, (ii) f is unsatis- 
fiable iff all branches in any complete R*^^p derivation with root N are closed. 

We now recall the definitions of some notions from [TT| (which are closely 
related to notions introduced in HE]). By the class of GFl clause sets we mean 
the class of all clause sets N for which a GF1“ formula f exists such that N is the 
clausal form of f as described above. Let iV be a GF1“ clause set. A function 
symbol fk is said to be associated with a predicate symbol Q iff contains 
a definitional clause of the form ~'Q{x) V Q{x,f(x)) in which f^ occurs. A set 
{ti, . . . , tn} (or sequence t = {t\, . . . , t^)) of ground terms is called a uni-node iff 
either each 1 < i < n, is a constant, or there exists a predicate symbol Q and 
a sequence of ground terms s, such that each ti, 1 < i < n, has the form fk(s). 
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where fk is a function symbol associated with Q. A uni-node X 2 is called a direct 
successor of a uni-node Xi iff there is a predicate symbol Q such that for each 
element t of X 2 there is a function symbol fk, associated with Q, and t = fk(s), 
where s is a sequence of precisely the elements of Ai. A set (or sequence) of 
ground terms is called a hi-node iff it can be presented as a union X\ U X 2 of 
two non-empty disjoint uni-nodes X\ and X 2 such that X 2 is a direct successor 
of X\. A ground literal is a uni-node (bi-node) iff the set of its arguments is a 
uni-node (bi-node). A clause is a uni-node (bi-node) iff the set of the arguments 
of all literals in it is a uni-node (bi-node). The successor relation on uni-nodes 
is the transitive closure of the direct successor relation. (See |H] for examples.) 

3 A Space Efficient Resolution Decision Procedure 

Due to space restrictions we only describe the modifications necessary to turn the 
main procedure of a standard saturation based theorem prover with splitting |22| 
into a space efficient decision procedure for GF1“ and stipulate the main results. 

The procedure exploits the tree structure of uni-nodes induced by bi-nodes 
of the form Q (s, t) . With each uni-node s we can associate all unit clauses of the 
form Q(s). Then, inferences never involve premises Q(s) and Q'(t) associated 
with distinct uni-nodes s and t. Thus, the sets of clauses associated with differ- 
ent uni-nodes can be investigated independently of each other in a depth-first 
manner. This is sometimes called the trace technique. However, similar as for the 
modal logic KB or description logics with inverse roles, clauses associated with 
a uni-node t can be used to derive additional clauses associated with a uni-node 
s such that t is a direct successor of s. This suggests a way of investigating the 
uni-nodes of the tree structure that minimises the space required to store the 
uni-node clauses associated with the nodes and goes as follows. 

Suppose we are currently investigating a uni-node ~s. We first try to derive all 
uni-node clauses associated with s. If one or more of these clauses is a non-unit 
clause, we apply the splitting rule which generates additional branches in the 
derivation tree. If we derive a contradiction, then the current branch is closed 
and we backtrack to an alternative open branch. If no open branch exists, then 
the clause set and also the GF1“ formula under consideration are unsatisfiable. If 
we do not derive a contradiction, then we continue by deriving all bi-nodes of the 
form G(s, f(s)) providing us with the information of which direct successors of s 
exist. We continue by investigating each of these successor nodes independently. 
Using the clauses stemming from the existentially and universally quantified for- 
mulae of the GF1“ formula under consideration we first establish an initial set 
of clauses associated with a particular successor node f(s). We then recursively 
call the main procedure for this initial set of clauses. The recursive call can lead 
to three different results. First, we may derive a contradiction by an application 
of positive hyperresolution to the clauses associated with one of the uni-nodes. 
Again, the current branch of the derivation is closed and we move to an alterna- 
tive open branch of the derivation (no investigation of other successor nodes of s 
is necessary). Second, we may not derive a contradiction, but while considering 
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Procedure 1 Space efficient resolution decision procedure 
Procedure ResolutionProver(s, US, WO) 
local N , AfSW, TZ, Given, Flag, i\ 

begin 

while {US 7 ^ 0 and (_L 0 US or not StackEmpty(Stack))) do 
if (_L G US) then 

(Stack, US, WO) backtrack(Stack, US, WO) 
else 

{N , Flag, US) ;= choose(W5, WO); 

if (Flag G {BOOLEAN, DEFAULT, UNI-NODE, UNIV}) then 
(Given, N) PickAndDelete(A); 
if (Splittable(Given)) then 

A/”^W := FirstSplitCase(Given); 

Stack := push(Stack, SecondSplitCase(Given)) 
else 

WO := WO U Given; 

NSW := inf(Given, WO); 

{NSW, WO, US) ■- \reA{NSW, WO, US)-, 

US ■- US U NSW 

else (* Flag G {EXIST, BI-NODE} *) 

{TZ, US, WO) := lnvestigateAIISuccessors(s, N , Flag, US, WO); 
if (restart(t) G TZ) then return(7?.) 
return(W5) 
end 



/(s) we derive some additional clause associated with s. In this case we delete 
the clauses associated with the successor node /(s), backtrack to the node s, add 
the newly derived clause, and restart the investigation of this node. The node 
f{s) will then be revisited later. This has been referred to as the reset-restart 
technique m- Third, we may neither derive a contradiction nor additional infor- 
mation about a predecessor node. Then we can delete all clauses associated with 
f{s) and turn to some other successor node g{s). If there is no other successor 
node, then the clause set is satisfiable. 

The main procedure ResolutionProver presented in Procedure [T] follows the 
search strategy just outlined. ResolutionProver operates on two sets of clauses US 
and WO (the set of usable clauses and the set of worked-off clauses). The set 
WO contains all the clauses that have already been used as (positive) premises 
in inference steps (or can never be used as positive premises) and the set US 
contains all the clauses that still need to be considered as (positive) premises. 
Let N denote the clauses obtained from a given GF1“ formula ip. Initially US 
is the singleton set {Q(^(a)| while WO is N — {Q,p{d)}. 

The procedure proceeds in a while-loop which terminates if either the set 
US is empty or US contains the empty clause and there are no more alternative 
open branches in the derivation tree generated by applications of the splitting 
rule that can be considered. In the while-loop we choose some of the clauses 
from US, perform the inferences possible with these clauses and update US and 
WO accordingly. Note that ResolutionProver takes as an additional argument a 
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Procedure 2 The procedure choose for guarded formulae 
Procedure choose(W<S, WO) 
local N, Q, Q, Q', C, t, x, f{x)\ 

begin 

if (Q(t) G US for some Q, not newly introduced, and Q(t) is a uni-node) then 
return({g(t)}, UNI-NODE, US - {Q{t)}) 
else if (Q{t) G US where ~^Q{x) V -<Q{x,y) V Q'{y) € WO) then 
return({g(t)}, UNIV, US - {g(t)}) 

else if (Q{t) G US where -ig(a:) VC is a Boolean definitional clause in WO) then 
return({g(t)}, BOOLEAN, US — {g(t)}) 
else if (C G WO where C is ground, but non-unit) then 

return({C'}, BOOLEAN, US - {C}) 

else if (g(?) G US where ~^Q{x) V Q(x, /($)) G WO) then 

N ■- {Q{t) £US\^Q{x)\/ g{x,J^) G wo or -nQ{x) V Q' (f(¥j) G WO}; 
return(A, EXIST, US - N) 

else if {g{s,t) G US for some g, not newly introduced, and g(s,t) is a bi-node) 

then 

return({e(s,t)}, BI-NODE, US) 
else if (C is some (arbitrary) clause in WO) then 
return({C}, DEFAULT, US - {C}) 

end 



sequence of terms t which is the uni-node the procedure is currently working on. 
The uni-node the procedure ResolutionProver is initially working on will be a. 

The procedure choose selects the clauses which will be the next to serve as 
one of the premises of it is a so-called clause selection function. Normally, it 
selects one clause according to some heuristic taking the ‘complexity’ and ‘age’ 
of clauses into account. Instead the modified version of choose presented in Pro- 
cedure |5] chooses a set of clauses in a way that allows us to take advantage of the 
trace technique. For this purpose we have to delay the consideration of clauses 
related to existentially quantified formulae until all other clauses have been dealt 
with. To ensure this, choose not only selects potential positive premises accord- 
ingly, but also passes information about the corresponding negative premises 
back to the main procedure in the form of a flag. In all cases, except if the value 
of the flag is ‘BI-NODE’, choose also returns the set US from which the chosen 
clauses have been removed. 

Three additional procedures used by ResolutionProver are PickAnd Delete, inf, 
and ired. Given a set N of clauses the procedure PickAnd Delete selects a clause 
C from a set N of clauses according to some appropriate heuristic and returns 
it together with N — {Cj. The actual inferences by hyperresolution and factor- 
ing are performed by the procedure inf. Tautologies and subsumed clauses are 
removed from the sets Af£W, WO, and US by the procedure ired. 

If choose returns the flag value ‘EXIST’ or ‘BI-NODE’, then the investigation 
of the current uni-node is complete and we are about to turn to its successor 

^ For completeness we do not need factoring for GF1“ clause sets because all derived 
non- unit clauses are ground and can be split. 
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Procedure 3 Investigation of all successor nodes 
Procedure lnvestigateAIISuccessors(t, N , Flag, US, WO) 
local AUXUS, AUXWO, B, G, NSW, 'll, UNTVS, Given, Q, Q' , s; 

begin 

AUXUS ■- US U N-, 

AUXWO ■- WO-, 
if (Flag G EXIST) then 
while [N 7^ 0) do 

(Given, N) ;= PickAndDelete(A); 

WO ■- WO U {Given}; 

NSW ■- inf(Given, WO); 

(NSW, WO, US) ■- \red{NSW, WO, US); 

US —USuNSW; 

UNTVS ■- {g(t) £USVJWO\ -^Qix) V -^G{X, y) V Q'{y) G WO}; 
B := {G{i,s) I G{i,s) G US UWO and G{i,s) is a bi-node}; 
while (Z3 7^ 0 and _L ^ US) do 
(Given, B) := PickAndDelete(B); 

(TZ, US) := lnvestigateOneSuccessor(t, US, WO, UNTVS, Given); 
if (restart (s) G TZ) then 

if (depth(s) = depth(t)) then 
US := AUXUS VJTZ — (restart(s)}; 

WO ;= AUXWO; 

B ~ 0; 

TZ ■- 0; 

else 

B ■- 0; 

return(7?., US, WO) 
end 



nodes, which is done by the procedure InvestigateAllSuccessors in Procedure|3] To 
do this, we first have to establish which successor nodes exist for the current uni- 
node. If the value of the flag is ‘EXIST’, then the set of selected clauses returned 
by choose contains all the unit clauses which can be resolved with clauses stem- 
ming from existentially quantified subformulae of Lp to generate clauses of the 
form Q {t, s) and (s) where s is a direct successor of t. These clauses are com- 

puted and added to US. Besides clauses of the form Q.^{s) which already provide 
information about the successor node s, additional information can be derived 
using unit clauses Q^{t) together with G{t,s) and ~'Q^{x) V ~'G{x,y) V Qd>{y). 
We compute the set of all these unit clauses and assign it to UNTVS and we 
also compute the set of all bi-nodes of the form G{t,s) and assign it to B. As 
described in the outline of the search strategy of the main procedure, we want to 
investigate the successor nodes independently of each other. Therefore, we con- 
sider each element of B using the procedure InvestigateOneSuccessor presented 
in Procedure H] InvestigateOneSuccessor adds the element of B to the set WO 
to form the set WO' and uses it and the clauses in UNTVS to compute ad- 
ditional uni-node clauses associated with the successor node it investigates and 
stores them in NSW. If we already derive the empty clause at this point, then 
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Procedure 4 Investigation of a single successor node 

Procedure lnvestigateOneSuccessor(t, US, WO, UNTVS, Binode) 
local WO' , NSW, TZ, Given, s; 

begin 

WO' ■- WO U {Binode}; 

USW := 0; 

while {UAfIVS 0 and _L 0 US') do 

(Given, UMIVS) := PickAndDelete(WA/”irV5); 

NSW := inf(Given, WO); 

[NSW, WO', US) ■.= ired(Af£:W, WO', US); 
if (_L G USW) then 
return({_L}, US U NSW) 

else if {Q-d{s) G NSW such that s is not a successor of t) then 
return({Q,/,(s) | Q^{s) G NSW} U (restart(s)}, US) 
else 

s := SuccessorOf(t, Binode); 

7^ ;= (g(s) I Q{s) G US}; 

NSW ■- NSW U 7^; 

US ■- US - 'll; 

TZ := ResolutionProver(s, NSW, WO'); 

if (restart(s) G 1Z) then return(7?., US) else return(0, US — {Binode}) 

end 



InvestigateOneSuccessor returns the set US containing the empty clause to the 
main procedure which will conclude that the clause set under consideration is 
unsatisfiable. If we do not derive a contradiction, but additional information 
about a node s which is not a successor of t, the uni-node under investigation 
by the main procedure, then we return the additional information to Investi- 
gateAllSuccessors together with an instruction to restart the investigation for s. 
This instruction is encoded in a special unit clause restart (s) that we add to 
the result returned. Otherwise, we determine the successor node s of t by using 
the function SuccessorOf, collect the information about s contained in US in 
TZ, add the clauses in TZ to NSW and delete them from US, and call the main 
procedure ResolutionProver with parameters s, NSW, and WO' . The important 
point here is that the set of usable clauses on which ResolutionProver will work 
only contains uni-nodes associated with s. 

Theorem 3. The following holds for the refined decision procedure: (i) The pro- 
cedure choose ensures a fair selection of positive premises, (ii) The refined deci- 
sion procedure is sound. (Hi) The refined decision procedure is complete. 

In general the space requirement of the refined decision procedure is still 
exponential in the size of the given GF1“ formula. To achieve the polynomial 
space bound we have to assume that either (i) the predicates have bounded arity, 
or (ii) that each subformula of a GF1“ formula has a bounded number of free 
variables. These assumptions have been made in m in order to establish that 
the satisfiability problem of the guarded fragment is complete for exponential 
time and are weaker than the ones made in m- 
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Theorem 4. Under one or both of the assumptions (i) and (ii) the refined pro- 
cedure decides the satisfiability of GF1~ formulae in polynomial space. 

There are three important points worth noting, (i) Even with either, or both, 
of the assumptions made above a standard saturation theorem prover based on 
R^yp would require exponential space, that is, the modifications described in this 
section are essential for Theorem 2] (ii) Since the procedure deletes clauses which 
are not redundant by the standard definition, the set of positive ground unit 
clauses it keeps, does not necessarily form a Herbrand model of the clause set N 
at any point in the derivation, (iii) While our procedure imposes a certain order 
on the selection of clauses, this order still provides flexibility for further refine- 
ment and heuristics. In particular, all the standard heuristics used in tableaux 
decision procedures for description logics can still be utilised. On the other hand 
most of the heuristics found in resolution theorem provers will provide little 
guidance due to the particular normal form used. 

4 Generating Minimal Herbrand Models 

A Herbrand interpretation is a set of ground atoms. By definition a ground atom 
A is true in the interpretation H if A G H and it is false in H if A ^ H, T is 
true in all interpretations and _L is false in all interpretations. A literal -'A is 
true in H iff A is false in H. A clause C is true in an interpretation H iff for all 
ground substitutions a there is a literal L in Ca which is true in H. A set N 
of clauses is true in H iff all clauses in N are true in 77. If a set N of clauses is 
true in an interpretation H then H is referred to as a Herbrand model of N. An 
interpretation 77 is a minimal Herbrand model for a set N of clauses iff 77 is a 
Herbrand model of N and for no Herbrand model 77' of N , H' (Z H holds. 

A clause C is range restricted iff the set of variables in the positive part 
of C is a subset of the variables of the negative part of C. This means that a 
positive clause is range restricted only if it is a ground clause. A clause set is 
range restricted iff it contains only range restricted clauses. 

Lemma 1. Let N be the clausal form of a GF1~ formula ip. Then, any clause 
in N and any clause derived from N by R^yP is range restricted. 

For range restricted clauses, the open branches of a complete derivation tree T 
constructed by a R^yP derivation for N describe Herbrand models in a very simple 
way. These models are finite for any subclass of the class of range-restricted clause 
sets which is decidable by R*^yp, for example the class of GF1“ clause sets. Let 
|77] denote the set of positive ground unit clauses in the limit N^o of a branch 
77 of a (complete or incomplete) derivation tree T for a clause set TV. 

Theorem 5 (El). Let N be the clausal form of a GFl formula ip, and let 
TVoo be the limit of any branch B in an R^yP derivation tree with root N. If TVoo 
does not contain the empty clause, then |77] is a finite (Herbrand) model of N. 

We refer to |77] as a (partial Herbrand) model for TV represented by the open 
branch 77. 
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Theorem 6 (Minimal model completeness [6]). Let N be a satisfiable set 
of range restricted clauses, and let T be any complete derivation tree con- 
structed from N . For every minimal model H there is an open branch B in T 
such that |i?] coincides with the ground atoms in H . 

As GF1“ clause sets are range restricted it follows immediately that for every 
minimal model H there is an open branch in a derivation from a GF1“ clause 
set N such that |B] coincides with the ground atoms in F[. However, not every 
model computed with is a minimal model of the input set. 

One way to ensure that only minimal models are generated is the use of 
model constraints. If |H] = {Ai,... ,An} is the finite Herbrand model of an 
open branch B, then let |B] denote the clause -lAiV. . .V-iA^. The clause |H] is 
called a model constraint. Suppose B is an open, complete branch in a derivation 
and we add |H] to a branch B' distinct from B. If B' would otherwise generate 
a model |B'] which is a superset of |B], then we will now be able to derive 
a contradiction using |B]. Because |B] may not be a minimal model, it is not 
enough to add a model constraint to branches which are incomplete with respect 
to R^^'P (i.e. branches which can be further expanded by the application of an R^^p 
inference rule) . A model constraint also needs to be added to branches complete 
with respect to R^^p. In this case, adding the model constraint |B] to the leaf of 
a complete branch B' may change the status of B' from complete to incomplete, 
and it is possible to perform a single additional hyperresolution inference which 
closes B' . Some additional bookkeeping is necessary to ensure that a model 
constraint generated by a branch B is propagated only once. We achieve this by 
introducing the concept of a finished branch. A branch is finished once its model 
constraint has been added to all relevant branches of the derivation. 

Formally, we extend our calculus by the following model constraint propaga- 
tion rule. We use the notation to refer to the calculus based on factoring, 
hyperresolution, splitting, and model constraint propagation. 

Model constraint propagation: Let B be an open, non- finished branch which 
is complete with respect to R^^'p. Then add the clause |B] to all leaves of branches 
in the derivation tree which are incomplete with respect to or are marked 
finished. We say the model constraint propagation rule is applied to B. Once the 
rule has been applied, B will be marked finished. 

The rule ensures that the model constraint is propagated to all relevant branches. 
Since the model constraint propagation rule can only be applied to branches 
which are not marked as finished and a branch is marked finished immediately 
after the model propagation rule has been applied to it, the rule is applied at 
most once to any branch in the derivation tree. 

Theorem 7. Let ip be a GF1~ formula and let N be the corresponding clause 
set. Then: (i) Any derivation from N terminates, (ii) p is unsatisfiable iff 
all branches in any completed derivation tree with root N are closed. 

Theorem 8. Let N be the clausal form of a GF1~ formula p. Then: (i) // |B] 
is the set of positive ground unit clauses in the limit of an open branch in an 
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derivation tree from N , |i?] forms a minimal Herbrand model for N. (ii) 
generates only minimal Herbrand models for N. (Hi) generates all minimal 
Herbrand models for N, and does so only once. 

R[^^^ is generally sound and complete. For range restricted clauses, the previ- 
ous theorem is true as well. But is, of course, not a decision procedure for 
the class of range restricted clauses, for example, it does not terminate on this 
simple clause set: {P{a),~'P{x) V P{f{x))}. 

The calculus above supports arbitrary branch selection functions and clause 
selection functions provided that derivations are fair. However, branch selection 
and clause selection functions have an impact on the performance of an imple- 
mentation, and developing good strategies is crucial for practical applications. 

The minimal model generation procedure of Bry and Yahya [HI can be viewed 
as a refinement of with an additional rule, the complement splitting rule, 
and with a particular branch selection function which always selects the left-most 
open branch in a derivation tree. 



Complement splitting: 



iVUlCi VC's} 
NU{Ci,^C2} I NU{C2} 



where C2 is a ground clause. 



The complement splitting rule can be seen as variant of the folding down 
rule m or as a combination of the cut rule (applied to C2), clause reduction 
(replacing Ci V C2 by Ci in the presence of “'C'2), and subsumption deletion 
(removing Ci V C2 in the presence of C2). Complement splitting ensures that 
the first (and left most) completed open branch B determines a minimal model. 
The model constraint propagation rule then adds the model constraint |H] to 
all leaves of branches to the right of the current branch. Subsequent models 
generated are always minimal, and only constraints of minimal models are prop- 
agated. Hence, there is no need for the marking scheme of R^^^ which ensures 
that the model constraint propagation rule is applied only once to a branch. 

The Bry-Yahya procedure is sound and complete, and for range restricted 
clauses the set of generated models is exactly the set of minimal Herbrand models 
of the input set [B]. Thus clearly, this approach is also applicable to GF 1 “. 

A disadvantage of and the Bry-Yahya procedure are their worst-case 
space requirement. Let (/? be a GF 1 “ formula of size n and let N be the corre- 
sponding set of clauses. Let C2{n) denote n" . Since we have to maintain a com- 
plete representation of the models during the derivation, the space optimisation 
techniques described in Section[ 3 ]cannot be applied here. Ignoring the model con- 
straints, the space required to maintain the essential information on a branch, 
in other words, the clauses in the leaf of the branch, is bounded by 0{n^C2{n)) 
which is also the space required to store a Herbrand model of N , while the 
number of branches is bounded by 0 ( 2 "^ ^"^). Since a model constraint contains 
the negation of each atom occurring in a Herbrand model, the space required 
for a model constraint is again bounded by 0 {n'^e 2 {n)). In the worst case, each 
branch generates a model constraint which is propagated to all the remaining 
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branches. Thus, in the worst case, a minimal model generation procedure based 
on stores all the essential information for all the branches in the derivation 
plus all the model constraints propagated to all branches in space bounded by 
0(2’^2("')(n^e2(n) + 2*^^("^n^e2(n))). This gives a triple exponential space bound. 
Using the Bry-Yahya approach we can discard a branch once it has been closed 
or has produced a minimal model and its model constraint has been propagated, 
and only for minimal models do we generate and keep model constraints. This 
brings the space requirement down to 0 (n^e 2 (n) + This is 

an improvement over the general procedure, although it is still triple expo- 
nential. Likewise, the time complexity of derivations is a triple exponential 
function. 

A way of reducing the space requirement of minimal model generation is by 
adopting the approach of Niemela which is based on the following obser- 
vation. Given a (finite) set H of positive ground atoms (or unit clauses) de- 
fine: -'ll = {-'A I Ag H} and H = Af be a set of clauses 

and U be the set of all atoms over the Herbrand universe of N. Let H he a, 
finite Herbrand model of N . Then H is a minimal Herbrand model of N iff 
MMT{N, H) = TV U ->{11 — H) U {H} is unsatisfiable. This minimality test is 
called groundedness test. Thus, we can use R^^p to enumerate all models of a 
GF1“ clause set N and also use to test each model H for minimality by 
testing MMT{N, H) for unsatisfiability. This approach has been applied and re- 
fined in m- A practical problem from our perspective is that these approaches 
have been described for propositional or ground clause logic only. In this case, 
the set U, and therefore U — H, are always finite. In the case of GFI“, the Her- 
brand universe of GFI“ clause sets is infinite in general and thus, U and U — H 
can be infinite sets. However, we observe that in the case of an R^^p derivation 
from MMT{N, H), the clauses in -■([/ — H) have only the effect of deriving a 
contradiction in any clause set N' derivable from N which contains a positive 
unit clause not in H. Since H itself is finite, this effect is straightforward to 
implement . 

Procedure [2 defines a minimal model generation procedure MMG using this 
variant of Niemela’s groundedness test. Like ResolutionProver, MMG operates on 
the same two sets of clauses US and WO. Since for the groundedness test we 
need the initial set of clauses, MMG takes as additional arguments the original 
sets of usable and worked-off clauses {XUS and TWO). In its incarnation as 
groundedness test, procedure MMG requires the Herbrand model H it has to 
check for minimality as an argument. The last parameter of MMG (i.e. Flag) 
distinguishes whether MMG operates as the minimal model generator (when the 
value of Flag is true) or as the groundedness test procedure (when the value of 
Flag is false). Applied to a set N of clauses obtained from a GF1“ formula ip, 
initially US is the singleton set {Q,p{a)} and WO is N — {Q^pifi)}, and the call 
MMG(W5, WO, US, WO, 0, true) will print out all minimal Herbrand models 
of A^. 

In the procedure MMG, choose’ selects an arbitrary clause (according to some 
heuristic) and returns it together with the set of usable clauses from which the 
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Procedure 5 Minimal model generation procedure 
Procedure MMG(W5, WO, XUS, TWO, H, Flag) 
local A/’fW, Gmc, Given 

begin 

repeat 

while {US 7 ^ 0 and (_L ^ US or not StackEmpty(Stack))) do 
if (_L € US) then 

(Stack, US, WO) := backtrack(Stack, US, WO) 
else 

(Given, US) := choose’ (US , WO)-, 
if (Splittable(Given)) then 
MSW := FirstSplitCase(Given); 

Stack := push(Stack, SecondSplitCase(Given)) 
else 

WO ■- WO U {Given}; 

NSW := inf(Given, WO); 

if (not Flag and 3A : A € PGUC(A/'fW) A A ^ H) then 
US ■- US U {_L} 
else 

{NSW, WO, US) ■- \re6{NSW, WO, US)-, 

US -- USvjNSW 
Cmc ’■= y A£PGOC(WO) 

if (Flag and _L G MMG(2:W5 U {0^c},2:W0, 0, 0, PGUC(WO), false)) then 
print(PGUC(WO)); 

US — W5U{_L} 
else 

return(W5) 

until (StackEmpty(Stack)) 
end 



chosen clause has been removed and PGUC(A^) is a function returning the set of 
all positive ground unit clauses occurring in a clause set N . 

We assume that once a minimal model has been generated and printed, we 
can discard it from the memory. Similar to the Bry-Yahya approach, M M G only 
needs to store one branch at a time. However, it does not need to store any 
model constraints. Instead we need some additional space for the minimality 
test. Again, during the minimality test we only have to store one branch of 
the derivation and, in addition, the model we test for minimality. For a GF1“ 
formula of size n, this brings the space requirement down to 0 (n^e 2 (n)), which 
is a considerable improvement (by one exponent). An upper bound of the time 
complexity is + l)n^e 2 (n)), although we believe that improvements 

of the search strategy during the minimality tests and a closer analysis can 
improve this bound. So, for GFl” MMG is a minimal model generator of double 
exponential space and triple exponential time complexity. 

The complexity bounds do not improve under assumptions like the ones we 
made in Section 0 where we assumed bounds on either the arity of predicate 
symbols or the number of free variables in subformulae of GF1“ formulae. 
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Abstract. Logical omniscience is a well known problem which makes 
traditional modal logics of knowledge, belief and intentions somewhat 
unrealistic from the point of view of modelling the behaviour of a re- 
source bounded agent. We propose two logics which take into account 
‘deliberation time’ but use a more or less standard possible worlds se- 
mantics with classical possible worlds. 



1 Introduction 

There has been considerable recent interest in agent-hased systems, systems 
based on autonomous software and/or hardware components which perceive 
their environment and act in that environment in pursuit of their goals. The 
paradigmatic example of an agent is an autonomous robot situated in a physical 
environment, but there are other kinds of agents, including software agents whose 
environment is the Internet and synthetic characters in games and computer en- 
tertainments. Agents integrate a range of (often relatively shallow) competences, 
e.g., goals and reactive behaviour, emotional state and its effect on behaviour, 
natural language, memory and inference. As such they are central to the study 
of many problems in Artificial Intelligence, including modelling human mental 
capabilities (e.g., emotions) and performing complex tasks (e.g., those combining 
perception, planning, and opportunistic plan execution). 

An agent can be viewed as a mapping from percepts to actions (see Fig. 1). 
The agent constantly monitors its environment and selects actions which allow 
it to achieve its goals given the current state of the environment. For example, 
a robot with the goal of delivering a package to an office at the end of the hall 
may modify its path to avoid someone who has just stepped out of an office half 
way down the hall. 

An agent consists of three main components (e.g., [9]): 

— the agent program implements a mapping from percepts to actions (this is 
sometimes called the action selection function or action composition); 

— the agent state includes all the internal representations on which the agent 
program operates (this may include representations of the agent’s environ- 
ment and goals, the plans it has for achieving those goals, which parts of the 
plan have been executed and so on); and 
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— the agent architecture, a (possibly virtual) machine that makes the percepts 
from the agent’s sensors available to the agent program, runs the agent pro- 
gram, updates the agent state, and executes the primitive action(s) chosen 
by the agent program. 



Environment 



Percepts 

1 > 



Agent 



Actions 





Fig. 1. An agent 



Our main concern is with the agent architecture. The architecture defines the 
atomic operations of the agent program, and implicitly defines the components 
of the agent. Building a successful agent system consists largely in finding the 
correct architecture. There is no one correct architecture for all problems; the 
correct architecture depends on the task and environment. 

A major focus of research in intelligent agents has therefore been to un- 
derstand the implications of different agent architectures. One way to do this is 
empirically, by building a range of agent systems with differing architectures and 
conducting controlled experiments (often using simulations) to assess the relative 
advantages and disadvantages of each architecture. Such experiments allow the 
agent designer to learn more about the behaviour of a proposed system, and the 
agent researcher to probe the relationships between agent architectures, environ- 
ments and behaviour [10]. However, conducting experiments, even in simulation, 
is time consuming and costly. Existing work on agent simulation is largely ad- 
hoc, with little re-use of simulation components and scenarios, and often fails to 
distinguish clearly between models of the agent and the test environment, and 
between these models and the simulations themselves. Agent and environment 
models and the simulation mechanisms are typically developed and implemented 
from scratch for each project or application. This limits the re-use of test sce- 
narios, makes it difficult to reproduce previous experimental results and makes 
it difficult to compare architectures and implementations. 

Another approach is to prove properties of the agent architecture. This means 
that we formalise a particular architecture in some logic and prove theorems 
about agent behaviour resulting from the architecture, for example: an agent 
with architecture X will solve a given problem faster than an agent with archi- 
tecture Y ; an agent with architecture Z will not be able to solve a given problem. 
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or will not be able to solve it before the environment changes and the solution 
becomes irrelevant. 

However most logical approaches to reasoning about agents are based on ide- 
alisations which make reasoning about agent architectures problematic. Chief 
among those is logical omniscience. The concept of logical omniscience was in- 
troduced by Hintikka in [4] and is usually defined as the agent knowing all logical 
tautologies and all the consequences of its knowledge. For example, the influen- 
tial Belief, Desire, Intention (BDI) framework of Georgeff and Rao [8] models 
agents as logically omniscient. However, logical omniscience is problematic when 
attempting to build realistic models of agent behaviour, as closure under logical 
consequence implies that deliberation takes no time. If processes within the agent 
such as belief revision, planning and problem solving are modelled as derivations 
in a logical language, such derivations require no investment of computational 
resources by the agent. To return to the example of the package delivery robot 
above, when the robot becomes aware of an obstacle in the hall (e.g., from sonar 
data) it instantaneously revises its beliefs to update its representation of the 
world, making decisions about whether the obstacle is real or the result of noisy 
sensor data, and instantaneously decides which steps in its current plan need to 
be revised and derives a new plan to avoid the obstacle. 

There is a significant body of work which has addressed the problem of log- 
ical omniscience from a number of different perspectives including: limiting the 
agent’s deductive capabilities by introducing non-classical worlds in the possi- 
ble worlds semantics [7,3]; distinguishing between beliefs which can be ascribed 
to the agent and the agent’s actual beliefs [6]; and explicitly incorporating the 
notion of resources [1,13]. 

In this paper, we propose an alternative approach which incorporates a notion 
of ‘delayed belief’. This has some similarities to the notion of resources in [1,13] 
but our approach is developed within the context of standard possible worlds 
semantics. We believe that this makes it more transparent and computationally 
tractable. In section 2 we develop the notion of delayed belief and define two 
logics which formalise this notion. We prove that both logics have complete and 
sound axiomatisations and are decidable. In section 3 we briefly survey related 
work and point out similarities and differences with our approach. In section 4 
we outline some open problems and sketch a program of further work. 



2 Delayed Belief 

In this section we consider two logics, and . Both logics contain an opera- 
tor □ which can be interpreted as standing for belief or knowledge^. These logics 
are our first attempt to incorporate the notion of computational cost (time) in 
reasoning about the agent’s beliefs or knowledge. In if at the current moment 
an agent believes </>, then after a fixed delay A it will believe in all propositions 

^ Or any other propositional attitude where closure under logical equivalence or conse- 
quence could be expected from an ideally rational and computationally unbounded 
agent, but not from a realistic agent. 
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equivalent to (j). In L~^, after the same delay it will believe in all consequences of 
its beliefs at the previous step. The intuition underlying this notion of delayed 
belief is that an agent is able to draw inferences but needs time to derive conse- 
quences of its beliefs, so it does not believe the consequences instantaneously. 

In both logics, none of the principles usually identified with logical omni- 
science (see for example [12]) is valid: 

\= U(f) A U[(j) —>•■!/:)—>• Uij; (the agent’s beliefs are closed under modus ponens) 
\= (j) 1= D0 (the agent believes all tautologies) 

\= <p ^ tp => \= □(/) — >■ Otp (the agent believes all logical consequences of its 
beliefs) 

\= (f) = pj \= 0(f) = □■0 (if 0 and ip are logically equivalent, the agent 
believes <p if and only if it believes ip) 

^ D(p A Oip — >• D(0 A Ip) (the agent’s beliefs are closed under conjunctions) 

\= 0(p — >• D(0 V 0) (the agents beliefs are closed under weakening) 

\= -i(D0A 0-t(p) (the agent’s beliefs are consistent). 

The logics and contain an operator A which stands for ‘After a delay’. 
We make several simplifying assumptions concerning A. We assume that the 
world (atomic facts) does not change while the agent is deriving consequences 
of its beliefs (during the delay). We also assume that although new beliefs can 
be added, no beliefs can be removed from the agent’s belief set. These are very 
strong assumptions. We discuss possible ways of overcoming them in Section 4. 

2.1 L= 

The language of both logics Lg consists of a set Prop of propositional 

variables p, q,r,pi, . . usual boolean connectives -i, A,— >■,... and two unary 
modalities: □ which could be informally read as ‘Believes’ and A, standing for 
‘After a delay’. A well formed formula is defined as usual: p|-i0|0 A ip\D<p\A(p 
however we require that D0 is a well formed formula only if (p does not contain 
□ and Z\. We denote the set of all well formed formulas as Form. We denote 
the set of formulas which do not contain □ and A as NonModForm. 

Definition 1. The models of are structures of the form M = {W,V, R,S) 
where W is a non-empty set of possible worlds, V : Prop — >■ 2^ assigns subsets 
of W to propositional variables, R C W x NonModForm is a relation used to 
interpret □ and S : W — > W is a function (a sort of successor function) which 
is used to describe the next state of the world (after a delay) and interpret A. 
The satisfaction relation of a formula being true in a world in a model (M, w € 
W 1= Ip) is as follows: 

M,w \= p w €V (p); 

M, w \= -10 M, w 0; 

M,w \= (p /\ip M,w \= (p and M,w \= ip; 

M,w\= D0 R{w, 0); 

M,w\= Alp M, S{w) \= 0; 

There are two conditions on 5: 
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Frozen world. For every p € Prop, w € V{p) 4=^ S{w) € V(p) 

Equivalences. For every </> G NonModForm, if R{w,4>) or there exists a for- 
mula Ip such that R{w, ip) and \- <p = ip in classical propositional logic, then 
R{S{w),(p). 

The notions of L^-valid and satisfiable formulas are standard: a formula <p is 
L^- satis fiable if there exists an L^-model M and a world w such that M,w ^ (p. 
A formula <p is L^-valid (\= (p) if all worlds in all models satisfy p. 

Consider the following axiom system (we will refer to it as L^, too, in the 
light of the completeness theorem which follows): 

Cl Classical propositional logic; 

A1 p = Ap for all p € N onM odForm; 

A2 ApVA^p 
A3 —lA^p A ~ip) 

A4 A{p -A Ip) ^ {Ap -A Alp) 

MP If p and p ^ ip derive ip 
R1 If p = Ip derive Op AOip 
R2 If p derive Ap 

We say that p is derivable in if there is a sequence of formulas p\, . . . ,pn, 
each of which is either an instance of an axiom schema from or is obtained 
from the previous formulas using the inference rules of pn = p. 

Theorem 1. complete and sound, namely P \=l= P 

Proof. First we give a proof of soundness: \~l= P |=l= P- All instances of 
the axiom schemas are obviously valid. A1 expresses the fact that the world is 
‘frozen’ as far as non-modal statements are concerned. A2-A4 state that after 
a delay the world is still a classical boolean universe. 

Note that -•{Ap A A-^p) follows from A3, A4, Up — >• AUp follows from R1 
and A-^Up — >• -^Up follows from the previous formulas. 

Next we need to show that if the premises of the rules are valid, then the 
conclusions are. Rule R1 expresses the main point of if agent believes p 
and p is equivalent to ip, then after a delay the agent believes p. This follows 
from the second condition on <5. R2 states that after a delay all tautologies are 
still valid. 

Next we prove completeness: ^ 4’- We show that for every p if 

Vl= ~'P then p is satisfiable, that is ~'4‘- 

Assume that p is an L^-consistent formula. In a standard way, we can show 
that p can be extended to a maximally consistent set of formulas Wff,, which is 
a consistent set closed under derivability and containing either p or -<p for 
each p G Form. We construct a model (M'’ for short) satisfying p 

as follows: 

W” is the set of all maximally consistent sets; we also require that each world 
is unique, in other words there are no copies of the same set; 




Logical Omniscience and the Cost of Deliberation 



105 



w € V'^(p) <1=^ p € w; 

R‘^{w,ip) □V’ G w; 

S'^{w) = {iplA-ip G w}. In other words, V-0 G Form{Aip G w ^|) G S(w)). 

In order to complete the proof, we need to show: 

Truth Lemma: for every ip G Form and every w G LL°, M°, w \= 'll) <1=^ ip £ w. 
Correctness of S'^: for every w G LL°, S‘^(w) is unique and is a maximally con- 
sistent set. 

Frozen world: for every p G Prop, w G V'^fp) 5‘^{w) G V‘^{p). 

Equivalences: For every (p G NonModForm, if R^^iw, <p) or there exists a formula 
Ip such that R’^{w,ip) and \- <p = ip in classical propositional logic, then 
R‘^{6{w),(p). 

From the Truth Lemma, it follows that (p is true in hence (p is satisfiable. 
The proofs of these statements are given below. 

Truth lemma. The proof goes by induction on subformulas of ip. It is very easy 
for Ip = p\-<ipi\ipi A ip 2 . 

Suppose Ip = Aipi. Then M^,w \= Aipi \= ipi <1=^ ipi G 

(induction hypothesis) <1=^ Aipi G w (definition of 5°). 

Suppose Ip = Oip\. Then M^^,w \= Uipi R’^{w,ipi) <1=^ □V'l G w 
(definition of 

Correctness of6‘^. Consistency of S'^{w) follows from A3. Maximality follows 
from A2, A4 and R2. Uniqueness follows from the fact that each w' G LF° 
is unique. 

Frozen world w G V'^{p) <1=^ p € w <1=^ Ap G w (Al) <1=^ p G S'^{w) <1=^ 
6‘^{w) G U°(p). 

Equivalences. Suppose R^{w, (p). Then □(/> G w. By R2, AUep g w. By definition 
of (5°, 0(p G S‘^(w). Hence R^ {6^ {w) , (p) . 

Suppose there exists a formula ip such that R'^{w, ip) and <p = ip is provable 
in classical propositional logic and hence in Then Hip g w and An<p g w 
by R2. This implies □</> g 5‘^{w) so R’^{5^{w),(p). 

2.2 L2 

It is easy to modify so that an agent, instead of being able to derive all 
formulas equivalent to its beliefs, after a delay can derive all consequences of its 
beliefs. 

Definition 2. A model for is defined in the same way as a model for L^, 
but replacing the Equivalences condition with the following stronger condition: 

Consequences. For every (p g NonModForm, if R(w,(p) or there exists a 
formula ip such that R{w, ip) and \~ ip ^ (pin classical propositional logic, 
then R{S{w), (p). 

Theorem 2. The following axiom system is sound and complete for L^: the 
axioms and rules for plus 
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R3 If (f> ^ tp derive D(j> — >• AOtfj 
(Note that R1 becomes derivable). 

The proof is very similar to the proof of completeness and soundness of . 

Both logics and L~^ are decidable and have the bounded model property. 
Before proving this, we need a simple lemma. Below, Subf{(p) denotes the set 
of all subformulas of 4>, and ModSubf{(p) = {ip G Subf{(p) : Oip g Subf{(p)} are 
modal subformulas of cp. 

Lemma 1. For every <p € Form, and every two (La) fnodels 
Ml = (lTi,yi,i?i,(5i) and = (IT 2 , F 2 , i? 2 , <^ 2 ), tfW^ = W 2 , Si = S 2 , Vi and 
V 2 agree on p & PropC\ Subf{<p) and R\ and R 2 agree on ip & ModSubf{(p) , 
then for every w, 

Ml ,w \= (p Ml ,w \= (p 

Proof. The proof is just a simple induction on subformulas of (p. 

Let us call the number of nestings of A operator in (p A-depth of <p, d{<p). 
More precisely, 

d{p) = Q for p € Prop; 
dh'ip) = d{ip); 
d{Uip) = d{ip); 

d{ipi A 1 P 2 ) = max{d{ipi),d{ip 2 )); 
d{Aip) = d{ip) + 1. 

Clearly d{(p) < \(p\ where \<p\ is the size (number of subformulas) of <p. So the 
result below is better than usual results for modal logics obtained by filtrations 
which produce models of size less or equal to 21*^1. 

Theorem 3. and have the bounded model property, that is, if a formula 
(p is satisfiable then it has a model where the set of worlds is less or equal to d{<p) 
(hence less or equal to \<p\)- 

Proof. The proof is similar for both logics. We can show that if a formula (p of 
Z\-depth d{(p) = k is satisfied in a world w of a model M then it is satisfied in 
a model M' where the set of worlds contains only w and the worlds reachable 
from w in k 5-steps, i.e. W = {w,S{w),S{S{w)), . . . ,6^{w)}. Obviously W is 
of size at most d{<p) even if W is infinite {\W'\ could be less than k if for some 
m < k,5'^{w) = 

The proof that M,w ^ (p M',w ^ ^ is standard (see for example [11], 
Lemma 2.8) and is omitted here. 

Theorem 4. The satisfiability problem for and is decidable. 

Proof. Suppose we would like to check whether a formula <p is satisfiable in 
(LjJ). By the previous theorem, it suffices to check whether (p is satisfiable in 
any (^zi) model of size less or equal to \<p\. The set of models of size less 
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or equal to |</>| is strictly speaking infinite since R is defined on the set of all 
formulas which is infinite, so there are infinitely many models of a fixed finite 
size which differ in R. However, by the previous lemma the only part of R in 
every model which really matters for checking whether <j) is satisfied or not is the 
part dealing with all subformulas of (j) of the form Hip. There are only finitely 
many different relations R with respect to the set ModSubf{4>), so we need to 
check only finitely many cases. Being an (-^zi ) model is a decidable property 
since the equivalence relation (consequence relation) on classical propositional 
formulas is decidable. 

3 Related Work 

In this section, we briefly survey previous approaches to the problem of logical 
omniscience and point out similarities and differences with our approach. 

Hintikka [4,5] and Rantala [7] saw the problem of logical omniscience mostly 
as a result of unrealistic principles in a formal model of knowledge. The solu- 
tion they favoured was to make the principles invalid by changing the possible 
worlds semantics so that logically equivalent formulas do not necessarily hold in 
the same sets of possible worlds. This was achieved by introduction of ‘impossi- 
ble worlds’ ([7]) where classical logic does not hold. Similar in spirit is the work 
of Fagin et al. [3] where possible worlds model a flavour of relevance logic. There 
again classical logical omniscience does not hold, although the agents are perfect 
reasoners in a weaker logic. Levesque [6] makes an important distinction between 
the beliefs which the agent actually has (explicit beliefs) and beliefs which can 
be attributed to it. The explicit beliefs do not conform to the principle of logical 
omniscience. Levesque’s approach involves using incomplete worlds (situations). 
A similar but simpler and more intuitive semantics for explicit beliefs was pro- 
posed by Fagin et al. [2]. Elgot-Drapkin & Perils [1] and Weyhrauch et al. [13] 
take a different approach which is concerned more with modelling the bounded 
resources which prevent the agent from deriving all consequences from its beliefs 
rather than modelling its irrationality or lack of awareness. 

Our motivation is closer to the bounded-resources approach of Elgot-Drapkin 
and Perils and Weyhrauch et al., in that we would like to model a rational but 
resource-bounded agent. However, our solution is in a traditional possible worlds 
setting rather than in a complex first-order theory of resources or step-logic. 
Unlike many other epistemic logic approaches, we distinguish between beliefs at 
the current moment and beliefs after the reasoner had time to consider their 
consequences, rather than distinguishing between implicit and explicit beliefs. 



4 Discussion and Further Work 

The logics simple and have attractive formal properties. However, 

they are far from what we actually would like to achieve. We describe them here 
as a proof of concept, which requires further elaboration to achieve a realistic 
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model of agent behaviour. In this section, we briefly outline some of the ways in 
which the approach presented above could be extended. 

First of all, we would like to make the connection between delay time and 
computational effort involved in deducing a formula more explicit. Although 
nestings of the delay operator A can express some of the intuitions (e.g □(/) A 
An[(f) —>•■!/))—>• AAnij}), it may be useful to introduce finer structure on what 
kind of derivations can be made after a fixed amount of time. For example, 
after a single unit of delay we could add all statements derivable from current 
beliefs in one application of an inference rule. Another possibility is to add extra 
expressive power to the language to allow us to explicitly mention moments of 
time as in [1] or available resources (e.g., inference rules) as in [13]. 

Another serious limitation of and L'^ is that we assume that the world 
does not change while the agent is reasoning and that the agent never has to 
revise its beliefs. This could be overcome by explicitly tagging particular beliefs 
with moments of time. 

For some applications, the agent’s inability to reason about its beliefs is a 
limitation. For example, an agent should be able to realise that it does not know 
whether (j) and attempt to derive it (see [1] for more examples). 

The logics we proposed only consider deductive reasoning, not default rea- 
soning or planning. However, we believe that our approach can be extended to 
other kinds of deliberation. 
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Abstract. When it comes to building robot controllers, high-level pro- 
gramming arises as a feasible alternative to planning. The task then is to 
verify a high-level program by finding a legal execution of it. However, 
interleaving offline verification with execution in the world seems to be 
the most practical approach for large programs and complex scenarios 
involving information gathering and exogenous events. 

In this paper, we present a mechanism for performing local lookahead for 
the Golog family of high-level robot programs. The main features of such 
mechanism are that it takes sensing seriously by constructing conditional 
plans that are ready to be executed in the world, and it mixes perfectly 
with an account of interleaved perception, planning, and action. Also, a 
simple implementation is developed. 



1 Motivation 

In general terms, this paper is concerned with how to conveniently specify the 
behavior of an intelligent agent or robot living in an incompletely known dy- 
namic world. One popular way of specifying the behavior of an agent is through 
planning — the generation of a sequence of actions achieving or maintaining a 
set of goals. To cope with incomplete knowledge, some sort of sensing behavior is 
usually assumed m, resulting in conditional or contingency plans 015 ], where 
branches are executed based on the outcome of perceptual actions or sensors. 
The task of a conditional planner is to find a tree-structured plan that accounts 
for and handles all eventualities, in advance of execution. 

However this type of conditional planning is computationally difficult and 
impractical in many robot domains. The non-conditional planning problem is 
already highly intractable, and taking sensing into account only makes it worse. 

High-level logic programming languages like Golog [0| and ConGolog [7] offer 
an interesting alternative to planning in which the user specifies not just a goal, 
but also constraints on how it is to be achieved, perhaps leaving small sub- 
tasks to be handled by an automatic planner. In that way, a high-level program 
serves as a “guide” heavily restricting the search space. By a high-level program, 
we mean one whose primitive instructions are domain-dependent actions of the 
robot, whose tests involve domain-dependent fluents affected by these actions, 
and whose code may contain nondeterministic choice points. 
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Instead of looking for a legal sequence of actions achieving some goal, the 
task now is to find a sequence that constitutes a legal execution of a high-level 
program. Originally, Golog and ConGolog programs were intended to be solved 
offline, that is, a complete solution was obtained before committing even to the 
first action. Also, sensing behavior was not considered so that the approach to 
uncertainty resembles more that of conformant planners [8]. While Lakemeyer 
f9] suggested an extension of Golog to handle sensing and contingent plans, 
De Giacomo and Levesque m provided an account of interleaved perception, 
planning, and action iim for GonGolog programs. 

In this paper, we propose to combine both improvements by suggesting a 
method of executing high-level robot programs that is both conditional (in the 
sense of Lakemeyer) and local (in the sense of De Giacomo and Levesque.) The 
advantages are twofold. First, we can expect to deal with much larger programs, 
assuming planning is locally restricted. Second, the offline verification of sub- 
tasks will handle sensing and provide contingent solutions. Although this may 
seem initially a trivial intersection of the two pieces, it is not. For one, sGolog 
semantics is given as a macro expansion while an incremental execution is defined 
with a single-step semantics. Furthermore, sGolog does not handle GonGolog 
constructs, namely those for concurrency and reactive behavior, which we do 
not want to give up. 

The rest of the paper is organized as follows: in the next two sections, we give 
brief introductions to the situation calculus, high-level programs, and their exe- 
cutions. Sectional is devoted to our approach to offline verification of programs. 
In Section O we develop a simple and provably sound Prolog implementation. 
We draw conclusions and discuss future lines of research in Section El 



2 Situation Calculus and Programs 

In this section, we start by explaining the situation calculus dialect on which 
all the high-level approach is based on, and after that, we informally show what 
high-level programs look like. 

The situation calculus is a second order language specifically designed for 
representing dynamically changing worlds mm- We will not go over it here 
except to note the following components: there is a special constant Sq used 
to denote the initial situation where no actions have yet occurred; there is a 
distinguished binary function symbol do where do{a, s) denotes the successor 
situation to s resulting from performing action a; relations whose truth values 
vary from situation to situations are called fluents, and are denoted by predi- 
cate/function symbols taking a situation term as their last argument; there is a 
special predicate Poss{a, s) used to state that action a is executable in situation 
s. Depending on the type of action theory used we may have other predicates 
and axioms to state what are the sensing results of special sensing actions U or 
the outcomes of onboard sensors j2] at some situation. Finally, by a history a 
we mean a sequence of pairs (a, /i) where a is a primitive action and /r encodes 
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the sensing results at that point0 A formula Sensed[a\ in the language can be 
defined stating the sensing results of history a. Lastly, end[a] stands for the situ- 
ation term corresponding to history a. Informally, while Sensed[a\ extracts from 
a all the sensing information already gathered, end[a\ extracts the sequence of 
actions already performed. 

On top of the situation calculus, we can define logic-based programming 
languages like Golog |6] and ConGolog [7], which, in addition to the primitive 
actions of the situation calculus, allow the definition of complex actions. Indeed, 
Golog offers all the control structures known from conventional programming 
languages (e.g., sequence, iteration, conditional, etc.) plus some nondeterministic 
constructs. It is due to these last control structures that programs do not stand 
for complete solutions, but only for sketches of them whose gaps have to be 
filled later, usually at execution time. GonGolog extends Golog to accommodate 
concurrency and interrupts. As one may expect, both Golog and GonGolog rely 
on an underlying situation calculus axiomatization to describe how the world 
changes as the result of available actions, i.e. a theory of action. For instance, 
basic action theories [E] or the more general guarded aetion theories [2| may be 
used for that propose. 

To informally introduce the syntax and some of the common constructs of 
these programming languages, we show next a possible GonGolog program for 
a version of the well-known airport problem mm- Suppose that the ultimate 
goal of an agent is to board its plane. For that, she first needs to get to the 
airport, go to the right airline terminal, and once there, she has to get to the 
correct gate, and finally board her plane. In addition, she probably wants to buy 
something to read and drink before boarding the plane. The following may be a 
GonGolog control program for such agent: 

proc catchjplanel 

(TTo.a)*; at(airport)?; 

(goto(terml) | goto(term2)); 

(buy (magazine) | buy(paper)); 
if gate > 90 then { goto(gate); buy (coffee) } else 
{ buy (coffee); goto(gate) } 

board-plane; 

end.proc 

where <52 stands for sequence of programs and 62', ttx.S{x) for nondetermin- 
istic choice of argument x; ^i|i52 for nondeterministic selection between programs 
(5i and ^2; and 6* for nondeterministic iteration of program S (zero, one, or more 
times). Finally, action (^)? checks that condition (p holds. As it is easy to observe, 
the above program has many gaps due to nondeterministic points that need to 
be resolved by an automated planner. For example, the first two complex actions 
(Tra.a)*; at(airport)? require the agent to select some number of actions (pick up 
the car key, get in the car, drive to the airport, etc.) so that after their execution 

^ The outcome of a itself in basic theories, or the values of all sensors in guarded 
theories. 
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she would eventually be at the airport. As the reader may have noticed, that 
particular sub-task is very similar to classical planning^ Once in the airport, 
the agent has to decide whether to head to terminal 1 or 2 (another gap to be 
filled) and, after that, whether to buy a magazine or a newspaper. Finally, she 
would buy something to drink and board the airplane. However, in case the gate 
number is 90 or up, it is preferable to buy coffee at the gate, otherwise it is 
better to buy coffee before going to the gate. 

3 Incremental Execution of Programs 

Finding a legal execution of high-level programs is at the core of the whole 
approach. Indeed, a sequence of action standing for a program execution will 
be taken as the ultimate agent behavior. Originally, Golog and ConGolog pro- 
grams were conceived to be executed (verified) offline. In other words, we look 
for a sequence of actions [oi, ..., am] such that Do{S, s, do([oi, ..., a^], <S'o)0 is en- 
tailed by the specification, where Do{S, s, s') is intended to say that situation 
s' represents a legal execution of program <5 from the initial situation s. Once a 
sequence like that is found, the agent is supposed to execute it one action at a 
time. Glearly, this type of execution remains infeasible for large programs and 
precludes both runtime sensing information and reactive behavior. To deal with 
these drawbacks, De Giacomo and Levesque m provided a formal notion of 
interleaved planning, sensing, and action mm which we support for cognitive 
robotic applications. In their account, they make use of two predicates defined 
in [7] in order to give a single-step semantics to Gon Golog programs: 

— Trans{6, s,S' , s') is meant to say that program S in situation s may legally 
execute one step, ending in situation s' with program S' remaining; 

— Final{S, s) is meant to say that program S may legally terminate in situation 
s. 

Both predicates are defined inductively for each language construct. As an exam- 
ple, we list the axioms corresponding to the nondeterministic choice of program 
and sequence 0 

Trans{Si |<52, s, S' , s') = Trans{Si, s, S' , s') V Trans{S 2 , s, S' , s') 
Trans{S\, (52, s, S' , s') = Trans{Si, s, S', s") A S' = {S"', (52) V 

Final{S\, s) A Trans{S 2 , s, S', s') 
Final(SijS 2 , s) = Final(Si, s) V Final{S 2 , s) 

Final{Si; S 2 , s) = Final{Si, s) A Final{S 2 , s) 

From now on, we use Axioms to refer to the set of axioms defining the 
underlying theory of action, the axioms for Trans and Final, and those needed 

^ In fact, one would prefer to avoid this kind of sub-tasks and write more detailed 
programs since the search space required for such sub-tasks will be huge. 

® do{[ai, ..., am], So)) denotes the situation term do{am, do{am-i, ■■■, do{ai. So))---). 

^ From now on, we assume all free variables are universally quantified. 



114 



S. Sardina 



for the encoding of programs as first-order terms (see j7]-) Also, Trans* stands 
for the second-order definition of the transitive closure of Trans. 

Definition 1. An online execution of a program <5q starting from a history erg 
is a sequence (5g, ctq), . . . , ((5„, (T„), such that for i = 0, ..,n — 1: 



Axioms U Sensed[ai] ^ Trans{Si, end[ai], 5i+i, end[ui+i\) 



CTi+l 



(Ti, if end[<7i+i] = end[(Ji] 

Gi ■ (a, /r), if end[ai+i] = do{a, end[ai\) 

and fj, is the sensing outcomes after a 



Furthermore, the online execution is successful if: 



Axioms U Sensed[an] H Final{6n, end[an]) 



Among other things, with an online (incremental) execution, it is possible to 
gather information after each transition. However, given that an incremental 
execution requires committing in the world at each step and programs may 
contain nondeterministic points, some lookahead mechanism is required to avoid 
unsuccessful (dead-end) executions. To that end, in [TU] a new language construct 
E, the search operator, is provided as a local controlled form of offline verification 
where the amount of lookahead to be performed is under the control of the 
programmer. As with all the other language constructs, a single-step semantics 
for it can be defined such that E6 selects from all possible transitions of {S, s) 
those for which there exists a sequence of further transitions leading to a final 
configuration (S', s'). Formally, 

Final(E6,s) = Final(S,s) 

Trans(E5, s,S' , s') = 3^,^ , s" .6' = Ej A Trans{S, s,^, s') A 
Trans*{"f, s', 7 ', s") A Final("f' , s") 

Nonetheless, we recognize some important limitations of this search operator. 
In particular, we are concerned with its limitation to explicitly handle sensing 
and the fact that it does not generate solutions that are ready to be carried 
out by the agent. This is because search only calculates the next “safe” action 
the agent should commit to, even though there may be a complete (conditional) 
course of action to follow. What we propose here is a new search operator which 
overcomes both issues. 

3.1 Offline Verification with Sensing 

As already noted, one way to cope with incomplete information, especially when 
sensors are cheap and accurate, or effectors are costly, is by gaining new infor- 
mation through sensing and adopting a contingent planning strategy. Consider 
a revised version of the airport example in which the agent does not know the 
gate number, but can learn it by examining the departure screen at the right 
terminal. 
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proc catchjplane2 

(Tra.a)*; at(airport)?; 

(goto(terml) | goto(term2)); 
watch_screen; /* Sensing Action! */ 

(buy(magazine) | buy(paper)); 
if gate > 90 then { goto(gate); buy (coffee) } else 
{ buy (coffee); goto(gate) } 

board-plane; 

end.proc 

Conformant planning (like [S]), the development of non-conditional plans that 
do not rely on sensory information, cannot generally solve our example because 
there is no linear course of action that solves the program under any possible 
outcome of the sensing action watchscreen. It should be clear then that neither 
Golog nor ConGolog would find any successful offline execution for catchjplane2. 
An online execution, however, would adapt the sequence depending on the in- 
formation observed on the boarding panel. 

In [^, it was argued that, yet, “there is a place for offline interpretation of 
programs with sensing.'" In fact, Lakemeyer suggested an extension of Golog, 
namely sGolog, that handles sensing actions offline by computing conditional 
plans instead of linear ones. These plans are represented - in the language - by 
conditional action trees (CATs) terms of the form a • ci or [((),ci,C 2 ], where a is 
an action term, (f> is a, formula, and ci and C 2 are two CATs. Roughly, an sGolog 
solution for our airport example would look as follows: 

c = goto(airport) ■ goto{term2) ■ watch_screen ■ buy{paper) 

■ [gate > 90, goto(gate) ■ buy{cof fee) ■ boardjplane, 
buy{cof fee) ■ goto(gate) ■ boardjplane] 

sGolog extends Golog’s Do{S,s,s') to Dos{S,s,c) which expands into a for- 
mula of the situation calculus augmented by a set of axioms Axcat for dealing 
with CAT terms. Dog{S, s, c) may be read as “executing the program S in sit- 
uation s results in CAT c.” It is worth noting that although sGolog is able to 
build conditional plans as the above one, it requires programs to use a special 
action branch -on{(j)) to state where to split and how. Intuitively, a branch -on(cj)) 
tells the planner that it should split w.r.t. the condition (j){s). In that sense, the 
above CAT c is not a seen as a legal solution for program catchjplane2, but it 
is a legal one for the following version of it: 

proc catch_plane2b 

(TTo.a)*; at(airport)?; 

(goto(terml) | goto(term2)); 

watch_screen; /* Sensing Action! */ 

(buy (magazine) | buy(paper)); branch_on(gate > 90); 
if gate > 90 then { goto(gate); buy (coffee) } else 
{ buy (coffee); goto(gate) } 

board_plane; 

end proc 
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From now on, we denote by 6 to the program 6 with all its ^''branch 
actions suppressed (e.g., catch jplane2b~ = catch-plane2). 

4 Conditional Lookahead 

Lakemeyer argued that many programs with a moderate number of sensing ac- 
tions can very well be handled with his approach. Even though we are skeptical 
about doing full offline execution of any (large) program, we consider his ar- 
gument a much more plausible one if offline execution were restricted to local 
places in a program. In what follows, we define a new search construct providing 
a local lookahead mechanism that takes potential sensing behavior seriously and 
fits smoothly with the incremental execution scheme from Section [31 We begin 
by defining a subset of useful high-level programs. 

Definition 2. A Golog program S is a conditional program plan (CPP) if 

— S = nil, i.e., S is the empty program; 

— S = A, A is an action term; 

— S = (4;(5i), A is an aetion term, and i5i is a CPP; 

— 5 = if ^ then else 52, </> a fluent formula, and Si, 62 are CPPs. 

Under our approach, CPPs will play the role of conditional-plan solutions. Notice 
they are no more than regular deterministic high-level programs where only 
sequence of actions and conditional splitting (branching) are allowed. It is easy 
to state an axiom defining the relation condPlan(5), which, informally, holds 
only when 5 is a CPP. 

Next, we introduce a two-place function rrtn-our version of Lakemeyer’s cdo 
function-which takes a CPP 5 and a situation s, and returns a situation which is 
obtained from s using the actions along a path in 50 Briefly, run follows a certain 
branch in the CPP depending on the truth value of the branch-conditions. 



run{nil, s) 
run(a, s) 
run((a; 5), s) 
<f(s) D run(if 4> then 5i else 52, s) 
~<(f>{s) D run(if 4> then 5i else 52, s) 



= s 

= do{a, s) 

= run{5, do{a, s)) 
= run{5i, s) 

= run{S2, s) 



Lastly, predicate knowHow{6, s) is intended to mean that “we know how to 
execute 5 starting at situation s.” By this we mean that at every branching point 
in the CPP 5, the branch-formula is known to be true or false. In order to enforce 
this restriction, programs would generally have some sensing behavior that will 
guarantee that each formula in a CPP will be known. A high-level description 
of the corresponding axioms for run is the following: 

® A CPP can be easily seen as a tree with actions and conditional splittings as nodes. 
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know How {nil, s) = TRUE 
knowHow{a, s) = TRUE 
know How {{a; 6), s) = knowHow{S,do{a, s)) 
knowHow{\i (f> then hi else 62, s) = Kwhether{4>, s) A 

c/)(s) D knowHow{Si, s) A 
~'4>{s) L) knowHow{62, s) 

Observe that the last axiom makes use of predicate Kwhether{(j), s) defined in 
m, which gives us a solution to knowledge in the situation calculus. Relation 
Kwhether{(f>, s) is intended to say that the condition (j) will be eventually known 
(true or false) in situation Although it is possible to use more general defini- 
tions of “knowing how to execute a program” we stick to the above one for the 
the sake of simplicity. 

We now have all the machinery needed to define our new mechanism of 
controlled lookahead. Namely, we introduce a conditional search operator Ec 
that, instead of only returning the next action to be performed, it computes 
a whole (remaining) CPP that solves the original program and is ready to be 
executed online. To that end, we define Einal and Trans for the new operator. 
For Einal, we have that {Ef,6, s) is a final configuration if (5, s) itself is. 

Einal{EcS, s) = Einal{5, s) 

For Trans, a configuration (AcJ, s) can evolve to (^',s) if 6' is a CPP that the 
agent knows how to execute from s, and such that every possible and complete 
path through S' represents a successful execution of the original program S. 

Trans{ScS, s. S', s') = s' = s A condPlan{5') A know How {S' , s) A 

3S". Trans* {S, s, S", run{S' , s)) A Final{S", run{S', s)) 

While the first line defines what the “form” of a legal solution is, the second one 
makes the connection between the CPP S' and the original program S. Notice 
we want this sentence to be true in every interpretation, and, therefore, the se- 
quence of actions produced by run{S', s) must always correspond to a (complete) 
sequence of transitions for S. This is very important since not every CPP will be 
acceptable, but only the ones that are “hidden” in S. It is important to remark 
that different interpretations could lead to different “runs” and transitions. 

From now on, we assume the above two axioms for Ac, together with the 
axioms for run, condPlan and knowHow, are all included into the already men- 
tioned set of axioms Axioms. If, for example, we execute EcCatchjplane2 we get 
that 



Axioms U Sensed[ao] ^ Trans{EcCatch_plane2, Sq, S', So) 



where 



See (U for a complete coverage of knowledge and sensing in the situation calculus. 
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5' = goto{airport); goto{term2); watch screen; buy (paper); 

if gate > 90 then {goto(gate); buy{cof fee); boar deplane} 
else {buy(cof fee); goto(gate); boardeplane} 

In this case, run(S' , Sq) would have two different interpretations w.r.t. the 
set Axioms U Sensed[ao\. In the models where gate > 90, function run(S',So) 
denotes the situation 

do{[goto{airporf) , goto{term2) , watchscreen, 

buy (paper) , goto(gate) , buy(cof fee), boardeplane], Sq) 

On the contrary, in those models where gate < 90, function run(S', So) 
denotes the situation term 

do([goto(airport) , goto(term2) , watchscreen, 

buy(paper), buy(cof fee), goto(gate), board-plane], Sq) 

The point is that, in either case, run(S', So) is supported by the original 
program catch-plane2. 

By inspecting the above Trans axiom for Sc, one can see that Sc performs 
no action step, but calculates a remaining program 5' (in particular, a CPP one) 
that is ready to be executed online, and that has previously considered how fu- 
ture sensing will be managed. This implies that the final sequence of actions will 
eventually depend on the future sensing outcomes; in our example, after commit- 
ting to action watchscreen. Furthermore, the CPP returned has already solved 
all nondeterministic points in the original program as well as all concurrency in- 
volved on it. In some sense. Sc can be visualized as an operator that transforms 
an arbitrary complex ConGolog program into a simple and deterministic CPP 
without requiring it to know in advance how future sensing will turn out. 

The following are some useful properties of Sc- 

Property 1 

Trans((ScSi)\(ScS2), s, 6', s') = Trans(Sc(Si\62), s, 6', s') 

i.e., search distributes over the nondeterministic choice of program. An in- 
teresting example comes up with programs <5i = (a; 4>; b) and 62 = (a; ->4>; c). 
Even though not trivial to see, the CPP 5' = (o; if 4> then b else c) is a so- 
lution for both Sc( 5 i\ 52) and (Sc5i)\(Sc52)- The former case is easy; the 
latter, though, involves realizing that, in the interpretation where </> holds, 
the program Sc5\ is the one that performs the transition and a “run” of 5' 
is action a followed by action b. However, in the interpretation where -<<j) 
holds, the program chosen for the transition is Sc52, and a “run” of 5' is 
action a followed by action c. 

Property 2 

Trans(ScS, s. S' , s') D Final(SS, s) V 36" .s" .Trans(S6, s, 6" , s") 

This means that whenever there is a transition w.r.t. Sc, there is also a 
transition w.r.t. S. However, the converse does not apply. 
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Property 3 

Trans{Ec{ 6 i] 62 ), s, i5, s) = 3S[.Trans{EcSi, s, (5^, s) A 

36* .Trans{Ec 62 ,run{S[, s) , 6 * , run{ 6 [, s)) A extcpp{ 6 [, 6 , 6 *, s) 

i.e., a solution for i5i; 62 can be seen as some solution for i5i extended, at each 
leaf, with a conditional plan that solves 62 - Relation extcpp( 6 ', 6 , 6 *,s) is 
the analogous one to sGolog’s ext(c', c, c*, s). Informally, extcpp( 6 ', 6 , 6 * , s) 
means that CPP 6 is obtained by extending the CPP 6' with the CPP 6* 
after executing 6' from situation s. The axioms for such relation can be 
obtained by a straightforward reformulation of ext’s axioms given in [^. 
Property 4 

Trans{EcS,s,S' ,s') D Final{S,s) V 

36”, s”, 6 *, s*.Trans{ 6 , s, 6 ", s") A Trans{S^ 6 " , s" , 6 *,s*) 

This property is closely related to Property 2 for E given in m- Intuitively, 
search can be seen as performing one single step while propagating itself to 
the program that remains after such step. 

It is not surprising that sGolog solutions are solutions under conditional 
search as well. To show that, we make use of a one-place function CATtoCPP 
that takes a GAT and returns its analogous GPP. We will refer with AxcATtoCPP 
to the set of axioms defining such function. 

Theorem 1. Let 6 be a sGolog program, and let a be some history the agent has 
already committed to. Then, the set of axioms Axioms U Sensed[a] U Axqat U 
AxcATtoCPP entails the following sentence: 

Dos{6,end[a],c) D Trans(Ef.6~ , end[a], CATtoCPP(c), end[a]) 

The opposite, though, does not hold, because conditional search is more 
general than sGolog in that it allows for splittings at any point. In contrast, and 
as already stated, sGolog splits only at the points explicitly stated by the user 
via the special action branchmn. As a matter of fact, the GAT c of Section IXTI 
is a solution for catch jplane2b, but not for catchjplane2. On the other hand, 
program 6' above is indeed a solution for {EcCatchjplane2) itself, since Ec need 
not be told where to split 0 



4.1 Restricted Conditional Search 

We finish this section by noting that it is easy to slightly modify our axioms to 
define a restricted version of E^, say E^b, such that splittings in GPPs occurs only 
where the programmer has explicitly said so via a special action branch -on{(f>) 

^ However, under Ec, there may be strange solutions due to naive and useless splittings 
(e.g., splittings w.r.t. tautologies are always allowed.) 
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(as done in sGolog.) The main motivation for defining Scb is to provide a simple 
and clear semantics to our implementation. 

We then make use of a special action branch_on{(j)), whose “effect” is to in- 
troduce a new conditional construct into the solution, i.e., into the CPP. Fortu- 
nately, we can achieve this by simply treating branch_on{(f)) as a normal primitive 
action that is always possible. Intuitively, a transition on a branch action is used 
to leave a “mark” in the situation term so as to force a conditional splitting at 
that point. Given that, at planning time, the branch action will be added to the 
situation term (as done with any other primitive action), we should guarantee 
that it has no effect on any of the domains fluents. In other words, every fluent in 
the domain should have the same (truth) value before and after a branch action. 

In addition, we change the last axiom of function run to the following one: 

4>{s) D run(if 4> then i5i else 52,s) = do{branch_on{4>) ,run{5\, s)) 

D runili 4> then else 52,s) = do{branch_on{4>),run{52, s)) 

Now, a “run” of the program leaves a “mark” on the situation term, namely 
a branch _on{(j)) action term, to account for a conditional splitting. 

It worth observing that, by using the same Trans and Final axioms given for 
Sc-, all conditional constructs in the GPP solution are now required to perfectly 
coincide with the branch statements mentioned in the program. Finally, it is 
very important to remark that a branch action will never be mentioned in any 
GPP S' obtained by search. In that sense, a branch -onicj)) action can be viewed 
as a (meta-level) action whose direct effects are seen only at “planning time.” 

It is not difficult to prove that all four properties listed for are properties 
of Ecb as welli What is more important, it can be proved that Ecb and sGolog 
are equivalent for Golog programs. In addition, all solutions of Ecb are also 
solutions of Ec- We will refer with Axioms' ^ instead of Axioms, when using the 
modified axioms of Ecb- 

Theorem 2. Let be an sGolog program and 62 a ConGolog one. Let a he some 
history the agent has already committed to. Then, the set of axioms Axioms' U 
Sensed[a] U Axcat U AxcATtoCPP entails the following sentence: 

Dos{Si, end[a], c) = Trans{EcbSi,end[a],CATtoCPP{c),end[cF]) 
Furthermore, if Axioms' G Sensed[a] \= Trans{EcbS2,e.nd[a],5' , s') , then 
Axioms U Sensed[a] ^ Trans{EcSf , end[a], S', s') 

Once again, the restricted version of search is not interesting in terms of the 
specification itself, as it is less general than Ec', but it is convenient in terms of 
implementation issues as we will see in the following section. 

® Nonetheless we should replace ES by ES~ in Property 2; for, branch actions make 
no sense in the scope of E. 
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5 A Simple Implementation 

In this section, we show a simple Prolog implementation of the restricted condi- 
tional search construct Ecb under two main assumptions borrowed from [^: 
(i) only the truth value of relational fluents can be sensed; (ii) whenever a 
branch_on{P) action is reached, where P is a fluent, both truth values are con- 
ceivable for P. Assumption (ii) allows us to safely use hypothetical reasoning 
on the two possible truth values of P. For that, we use two auxiliary actions 
assm{P) and assm{neg{P)) whose only effect is to turn P true and false re- 
spectively. We also assume the following code is already available: 

1. A set of trans/4 and final/2 clauses constituting a correct implementation 
of Trans and Final predicates for all ConGolog constructs (see |7ll8j l: 

2. A set of clauses implementing the underlying theory of action used. In par- 
ticular, this set will include facts of the form act ion (a) and fluent!/) 
defining each action name a and each fuent name / respectively; 

3. A set of kwhether/2 clauses implementing predicate Kwhether{P,s). For 
basic action theories, we can make a simplification by checking whether the 
fluent in question was sensed earlier and not changed since then [5]. For 
guarded theories, where inertia law may not apply, one may check that the 
fluent can be regressed up to a situation where a sensing axiom is applicable. 

With all these assumptions, the restricted search implementation arises as a 
nice, but still not trivial, mixture between the implementation of sGolog and the 
one for GonGolog. The reader will quickly notice that the code below reuses the 
clauses for Trans and Final of all the other constructs. Besides, it is independent 
of the background theory used, in particular inde^ndent on how sensing is 
modeled, as long as the above requirements are metO 

trans (searcher (E) ,S,CPP,S) build_cpp(E,S,CPP) . 
trans (brcinch_on(P) , S , [] , [branch_on(P) IS]). 

build_cpp(E,S, [] ) final(E,S). 

build_cpp([El|E2] ,S,C) E2\=[] , !, build_cpp(El,S,Cl) , 

ext_cpp (E2 , S , Cl , C) . 

build_cpp(brEinch_on(P) ,S, if (P, [],[])): - !, kwhether(P,S) . 

build_cpp(E,S,C) trans(E,S,El, [brEinch_on(P) IS] ) , 

build_cpp( [brarich_on(P) |E1] ,S,C) . 
build_cpp(E,S,C) trans(E,S,El,S) , build_cpp(El,S,C) . 

build_cpp(E,S, [A I C] ) trans (E, S,E1 , [A I S] ) , fluent(P), 

A\=branch_on(P) , build_cpp(El , [A I S] ,C) . 

/* ext_cpp(E,S,C,Cl) recursively descends the CPP C. On a */ 

/* leaf, build_cpp/3 is used to extend the branch wrt program E.*/ 
ext_cpp(E, S , [A I C] , [A I C2] ) : - action(A) , ext_cpp(E, [A|S] ,C,C2) . 



For legibility, we keep the translation between the theory and Prolog implicit. 
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ext_cpp(E,S,if (P,C1,C2) ,if (P,C3,C4)) 
ext_cpp(E, [assm(P) IS] ,C1 ,C3) , ext_cpp(E, [assm(neg(P) ) I S] ,C2 ,C4) . 
ext_cpp(E,S, [] ,C) build_cpp(E,S,C) . /* leaf of GPP */ 

Roughly speaking, build_cpp((5, s, C) builds a CPP C for program S at situa- 
tion term s by calling trans/4 to obtain a single step, and ext_cpp/4 to extend 
intermediate already-computed CPPs. Relying on the correctness of trans/4, 
final/2, and kwhether/2, it is possible to show that the above program, which 
we will refer as P, is occur-check and floundering free Pi- 

Lemma 1. Let 5 he a ground ConGolog program term, and let s be a ground 
situation term. Then, the goal G =hu±ld_cpp(d, s,C) is oceur-eheek and floun- 
dering free w.r.t. program P, assuming a eorreet implementation o/trcUis/4, 
final/2, action/1, fluent/1, and kwhether/2. 

Finally, we show that whenever the above implementation succeeds, a con- 
ditional program plan supported by the specification as a legal solution of both 
Scb and Sc is returned (by binding variable P below.) In contrast, whenever the 
implementation finitely fails, we can only guarantee that the specification of Set 
supports no solution at all. 

Theorem 3. Let 8 he a ground program term without mentioning search, and let 
a he a history. Let G be the goal traiLs(searchcr{S),end[a], P, S) . Lf G succeeds 
with computed answer P = S' , S = s' , then S' is a CPP, s' = end[a], and 

Axioms' U Sensed[a] ^ Trans{ScbS, end[cf\, S', s') 

Axioms U Sensed[a] ^ Trans{ScS~ , end[a], S' , s') 

On the other hand, whenever G finitely fails, then 

Axioms' U Sensed[a] ^ \/S' , s' .~iTrans{ScbS, end[a], S' , s') 

It is worth noting that our results rely heavily on the implementation of 
trEins/4, final/2, and kwhether/2. In particular, in order to assure correctness 
for the first two predicates, we may need to impose extra conditions on both 
programs and histories (e.g., see just-in-time histories and programs in PHD.) 

Finally, we conjecture that it is possible to develop a better, and yet imple- 
mentable, splitting strategy that does not rely on the user, and hence, does not 
use any special branching action. A plausible approach may be to split whenever 
the interpreter finds a condition (f that is not known at planning time. Clearly, 
this means that at least one fluent mentioned in cj) is unknown; if the fluent will 
be known due to future sensing, we should branch w.r.t. to it. Observe that we 
should not only consider the conditions mentioned in the program, but all the 
formulas required to evaluate a transition (such as the actions’ preconditions.) 
One point in favor of this strategy is that it is always sound w.r.t. Sc, due to the 

In reality, the program used will be P union the code for trans/4, final/2, 
kwhether/2, and the one implementing the underlying theory of action. 
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fact that allows for any branching at any point, even for naive and unnec- 
essary ones. Put differently, any solution reported by Prolog will be supported 
by the specification. On the other hand, it is not totally clear whether we can 
capture the branching power of T,c completely. Furthermore, this strategy will 
require considerable more computational effort during the search. Despite this 
difficulties, we think these ideas deserve future attention in pursuit of a more 
flexible and practical implementation. 

6 Conclusions and Further Research 

In this article, we have developed a new local lookahead construct for the Golog 
family of robot programs. The new construct provides local offline verification 
with sensing of ConGolog programs, produces complete conditional plans, and 
moreover, it mixes well with an interleaved account of execution. In some sense, 
the work here shows how easily one can extend Golog and GonGolog, together 
with their implementations, to handle local contingent planning. Proofs and more 
technical details can be found in an extended version of this paper m- 

Many problems remain open. First, it would be interesting to investigate some 
principled way of interleaving search in high-level programs since that determines 
how realistic, practical, and complete our programs are. Second, there is much 
to say regarding the relation between our search and the original one in jlO) . For 
instance, neither subsumes completely the other. Nonetheless, it can be shown 
that, in some interesting cases, the original search E would actually execute an 
“implicit” GPP which would support as a solution. Third, as already said, 
we would like to investigate some principled way of branching that does not 
rely on the user and still be implementable. Last, but not least, our approach 
may suggest the construction of more general (robot) plans than GPPs (in the 
sense of | 4I21I22| .1 Indeed, solutions where the length of a branch is finite, but 
not bounded, cannot be captured with our conditional construct, but would be 
captured with a more general framework using loops (e.g., the cracking eggs 
example in |^.) There seems to be, however, a natural tradeoff between the 
expressivity in the theory and its corresponding computational complexity. 

Acknowledgements. I am grateful to Hector Levesque for many helpful discus- 
sions and comments. Thanks also to Gerhard Lakemeyer for an early discussion 
on the subject of this paper, and to the anonymous referees for their valuable 
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Abstract. An expressive semantic framework for program refinement 
that supports both temporal reasoning and reasoning about the knowl- 
edge of multiple agents is developed. The refinement calculus owes the 
cleanliness of its decomposition rules for all programming language con- 
structs and the relative simplicity of its semantic model to a rigid syn- 
chrony assumption which requires all agents and the environment to 
proceed in lockstep. The new features of the calculus are illustrated in a 
derivation of the two-phase-commit protocol. 



1 Introduction 

The knowledge-based approach to the design and analysis of distributed sys- 
tems, introduced by Halpern and Moses [13] involves the use of modal logics 
of knowledge. One of the key contributions of this approach is the notion of 
knowledge-based programs [9,8], that is, programs with formulas in the logic of 
knowledge as tests in conditional constructs. Such programs contain statements 
of the form “if you know that (f> then do A else B” . Knowledge-based programs 
provide abstractions of distributed programs that allow for perspicuous descrip- 
tions of how agents’ actions are related to their, typically incomplete, state of 
information about their environment. While knowledge-based programs provide 
a useful type of high level specification for distributed systems, they have a num- 
ber of limitations, such as their failure to abstract actions, the fact that they 
sometimes permit as implementations only programs of unacceptably high com- 
putational complexity, and the lack of a formal development framework [23, 14, 
7]. These limitations have led us to seek to develop a more general framework 
that enhaces knowledge-based programs in order to overcome their limitations. 
Our more general framework is in the form of a refinement ealeulus. Refinement 
calculi [1, 19, 20] are formalizations of the ubiquitous stepwise refinement method 
of program construction [26]. They view programs and specifications as having 
the same semantic type, and guide top-down development by a set of rules. One 
begins with a specification and transforms it to an implementation by means of 
a sequence of correctness preserving refinement steps according to those rules. 
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The initial focus in this area has been on sequential programs and atemporal 
assertions. 



Recently, the scope of refinement calculi has been broadened to overcome 
both limitations. Some calculi have distributed or parallel systems as domain [2, 
3], others admit the expressive power of temporal logics [24, 15]. 



The refinement calculus we are developing is aimed at supporting develop- 
ment of distributed systems using the insights afforded by the knowledge-based 
approach, but without suffering the limitations of knowledge-based programs. 
Some of the key ingredients of the calculus were introduced in previous papers. 
In order to address the problem that knowledge-based programs sometimes have 
only implementations of high computational complexity, [6] generalised multi- 
agent epistemic logics [13] to the Logic of Local Propositions (LLP), which en- 
ables knowledge-based program-like specifications having a broader range of im- 
plementations. Since reasoning about distributed systems frequently involves 
temporal considerations, a refinement calculus incorporating linear time tempo- 
ral logic assertions was developed in [25] . The logic of local propositions and the 
temporal refinement calculus were amalgamated in [7], yielding the first refine- 
ment calculus that supports assertional reasoning about knowledge and time. 



The calculus of [7] is restricted to a single agent interacting with its environ- 
ment. The present paper presents the next step towards our aim, by extending 
the single agent calculus to one with multiple agents. We restrict ourselves to a 
program operator for agent parallelism which amounts to insisting that all agents 
and even the environment proceed in lockstep. While we will ultimately be in- 
terested in more flexible forms of agent interaction, this operator has the benefit 
of admitting some perspicuous refinement rules, and is already rich enough to 
capture some interesting examples that exercise key features of our knowledge- 
based refinement approach. In particular, we demonstrate how it can be used 
for the top down development of an atomic commitment protocol in the pres- 
ence of process crashes. This provides an informative case study for our broader 
program. 



The paper is structured as follows. Section 2 summarizes the framework pre- 
sented in [7] and how it is extended to the synchronous multi- agent case. We 
first define an assertion language that adapts the LLP semantics to the richer 
temporal setting required for reasoning about multi- agent programs. Then we 
present the syntax and semantics of our multi-agent programming and specifi- 
cation language. Section 3 defines the refinement relation we use for this class 
of programs and develops a number of refinement rules valid for this relation, 
including the abovementioned decomposition rules. Section 4 illustrates the use 
of the new rules in a derivation of the two-phase-commit protocol. Section 5 
concludes and indicates where we intend to go from here. 
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2 Programming with Assertions about Knowledge and Time 

2.1 Semantic Domain 

In [7] we presented a semantic framework that is extended here from the single- 
agent case to the synchronous multi- agent case. Further motivation for this gen- 
eral line of work can be found in [8]. 

Let n e N be a number of agents, traditionally named 1, . . . ,n. Let Lg be 
a set of possible states for the environment and, for i € {1, • • • ,n], let L, be a 
set of possible local states for agent i. We take Q = (x"^j Li) x Lg to be the 
set of global states. Let Ai and Ag be nonvoid sets of aetions for agent i and for 
the environment, respectively. (These sets usually contain a special null aetion 
A.) A joint aetion is an (n + l)-tuple (oi, . . . ,a„,Oe) G A = Ai) x Ag. 

A run over Q and A is a pair r = (h, a) of infinite sequences: a state history 
h : N — > Q, and an aetion history a : N — > A. Intuitively, for c G N, h(c) is 
the global state of the system at time c and a(c) is the joint action occurring 
at time c. (We say more about the transition relation connecting states and 
actions later.) A system over Q and A is a set of runs over Q and A, intuitively 
representing all possible histories. A pair (r, c) consisting of a run r (in system 
S) and a time c G N is called a point (in S). We write Points(5) for the set of 
points of S. Let Prop be a set of propositional variables. An interpretation of a 
system S' is a mapping tt : Prop — )■ associating a set of points with 

each propositional variable.^ Intuitively, proposition p G Prop is true exactly at 
the points contained in Tr(p). An interpreted system (over Q and is a pair 

3 = (S, 7t) where S is a system over Q and A and tt is an interpretation of S. 

The structure in the above definitions supports the following notions used to 
define an agent’s knowledge. We say two points (r, c), (r', c') in a system S are 
i-indistinguishable, denoted (r, c) (r' ,c'), if the agent Fs local components of 
the global states at these points are equal, i.e., the ith projection of h{c) and 
/i'(c') are equal, where r = {h, a) and r' = {h' ,a'). A set P of points of S is i-loeal 
if it is closed under in other words, when for all pairs of points (r, c), (r',c') 
of S, if (r, c) G P and (r, c) {r',c') then {r',c') G P. Intuitively, i-local sets 
of points correspond to properties that agent i is able to determine entirely on 
the basis of its local state. If tt and tt' are interpretations and p G Prop, then 
tt' is said to be a p-variant of tt, denoted tt ~p tt', if tt and tt' differ at most in 
the value of p. If, additionally, Tr'{p) is Tlocal, then tt' is said to be an i-loeal p- 
variant of tt, denoted tt tt'. If T = (5, tt) and 3' = (S' ,tt') are two interpreted 
systems over Q and A, then 3' is said to be a p-variant (i-loeal p-variant) of 3, 
denoted 3 ~p 3' (resp. 3 3'), if S = S' and tt ~p tt' (resp. tt tt'). 

2.2 An Assertion Language for Knowledge and Time 

The assertion language £. we use in this paper resembles S5 with two additions: 
(a) restricted monadic second order quantification for each of the agent’s local 

^ Some standard treatments such as [8] interpret propositions over sets of global states 
so that TT : Prop — )■ 2® . This could easily be done for this paper, with practically no 
changes to the resulting framework. 
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predicates and (b) operators from the linear time temporal logic LTL [18]. Its 
syntax is given by: 

4>-.-.=p\^4>\(t> ^4>\^ec(t>\\lp{(t>)\'iip{(t>)\04>\4>^ 4>\Q4>\4>'^ 4> 

where p € Prop and i € {1, . . . ,n}. Intuitively, Nec^ says that 4> is true at all 
points in the interpreted system, and its dual Poss ^ = -i Nec states that 
<j) is true at some point. The formula Vp (^) says that <j) is true for all assign- 
ments of a proposition (set of points) to the propositional variable p. Formula 
yip{(f>) says the same, except that the assignments to p must be Tlocal. We 
write 3ip{4>) for its dual -Nip{-^4>)- The remaining connectives have their stan- 
dard interpretations from linear time temporal logic: O (“next”), U (“until”), 0 
(“previously”) and S (“since”). We employ parenthesis to indicate aggregation 
and use standard abbreviations such as true, false, V, 3p (.), and definable future 
time operators such as □ ( “henceforth” ) and ^ ( “eventually” ) , as well as their 
past time counterparts El (“until now”) and <$> (“once”). 

Formulae of C are interpreted at a point (r, c) of an interpreted system J = 
{S,tt) by means of the satisfaction relation |=, defined inductively by: 

— J,(r,c) \=piS (r,c) G 7r(p); 

— 3, (r, c) \= ^4> iff 3, (r, c) 4>] 

— 3, (r,c) 1= ^ A -0 iff 3, (r, c) |= 0 and 3, (r, c) |= 0; 

— 3, {r,c) \= Nec0 iff 3, {r' ,c') \= 0, for all (r',c') G Points(5'); 

— 3, (r, c) 1= Vp (0) iff 3' , (r, c) |= 0 for all 3' such that 3 3'; 

— 3, (r, c) 1= V,p (0) iff 3' , (r, c) |= 0 for all 3' such that 3 —p3'; 

— 3, {r, c) j= O0 iff 3, (r, c -b 1) |= 0; 

— 3, (r, c) \= 0U0 iff there exists ad>c such that 3, (r, d) |= 0 and 3, (r, e) |= 0 
for all e with c < e < d] 

— 3, (r, c) 1= 00 iff c > 0 and 3, (r, c — 1) [=0; 

— 3, (r, c) \= 0S0 iff there exists ad < c such that 3, (r, d) |= 0 and 3, (r, e) |= 0 
for all e with d < e < c. 

Let 0 G T and let <S be a set of interpreted systems. We say that 0 is valid in 
S, and write S |= 0, if 0 is satisfied at all points of all interpreted systems in S. 

It is possible to express in C many operators from the literature on reasoning 
about knowledge. For example, consider the standard knowledge operator Ki, 
defined by 3, (r, c) |= Ki(f> if 3, {r',c') \= 0 for all points {r',c') of 3 such that 
(r, c) (r',c'). The formula iF,0 is expressible as 3,p (p A Nec(p 0)), where p 
does not occur freely in 0. This characterization of knowledge motivates a weaker 
notion, that of an Tlocal condition p that is sound for 0, i.e., satisfies Nec(P 
0). This weaker notion (which we apply in Section 4), helps to overcome some 
of the complexity and proof-theoretic limitations of knowledge-based programs. 
We refer to [6] for further examples and discussion. 

2.3 A Programming Language with Quantification over Local 
Propositions 

In this section we define our wide spectrum programming language, and discuss 
its semantics. We also define a refinement relation on programs. 
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Syntax. Let CT be a set of constraint tags and let PV, PV\, . . . , PVn be mutu- 
ally disjoint sets of program variables. For each i G {1, . . . ,n} define a syntactic 
category Prg^ of (sequential) programs for agent i by: 

Prg^^Pi ::= e \ Z \ a \ Pi * Pi \ Pi + Pi \ P(^\ ^iP(Pi) \ \ [cl>f \ Wc 

where Z € PVi, a € Ai, p € Prop, 4> G jC, X G CT, and C C CT . The very 
similar syntactic category Prg of n-agent programs is formally defined by: 

Prg3P e\Z\ (H”^! Pi) \ P * P \ P + P \ P^ \3iP (P) \ [<P, I [4>f I {4>}c 

where Z € PV, Pi € Prpi, p € Prop, (p G jC, X G CT , and C C CT . The intu- 
itive meaning of these constructs is the same for both levels of the language. The 
symbol e denotes the empty program, which takes no time to execute, and has no 
effects. Program variables Z are placeholders used to allow substitution of pro- 
grams. Note that a sequential program for agent i may refer directly to actions 
a of agent i, but the actions of the environment are left implicit. The operation 
represents sequential composition. The symbol “-I-” denotes nondeterminis- 
tic choice, while denotes zero or more (possibly infinitely many) repetitions 
of program P. The construct (P) can also be understood as a kind of non- 
deterministic choice: it states that P runs with respect to some assignment of 
an Tlocal proposition to the propositional variable p. The last three constructs 
are similar to constructs found in refinement calculi. Intuitively, the specification 
[(j), stands for any program that, if started at a point satisfying 0, eventually 
terminates at a point satisfying -0.^ The coercion [0]^ is a program that takes 
no time to execute, but expresses a constraint on the surrounding program con- 
text: this must guarantee that 0 holds at this location. The constraint tag X in 
specifications and coercions acts as a label that allows references by other pieces 
of program text. Specifically, this is done in the assertion statements, which have 
the form and act as program annotations: such a statement takes no time 
to execute, and, intuitively, asserts that 0 can be proved to hold at this program 
location, with the proof depending only on concrete program fragments, and on 
specification and coercion statements whose tags are in C. We may omit the 
constraint tags when there is no need to make such references. 

In local programs binds tighter than “-h”, which in turn binds tighter 
than (the necessarily n-agent) “||”. Also in n-agent programs binds tighter 
than “-I-” but both bind less tightly than “||”. We employ parentheses to indicate 
aggregation wherever necessary and tend to omit near coercions and asser- 
tions. We use if ^ 0 then P else Q fi as abbreviation for [0]^ * P + [-■0]^ * Q. 



Semantics. Our semantics will treat programs as specifications of certain sets 
of run segments in a system, intuitively, the sets of run segments that can be 

^ In refinement calculi, such statements are typically associated with frame variables, 
representing the variables allowed to change during the execution — we could add 
these, but omit them for brevity. 
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viewed as having been generated by executing the program. We note that the 
semantics presented in this section treats assertions {(f>}c as equivalent to the 
null program e — the role of assertions in the framework will be explained in 
Section 3.1. 

Execution Trees. We first define execution trees, which represent all unfoldings 
of the nondeterminism in a program. It is convenient to represent these trees 
as follows. An n-ary tree domain is a prefix-closed subset of the set {0,...,n — 
1}* U {0, . . . , n — 1}“ . In particular, each nonvoid tree domain contains the empty 
sequence A. Let A be a set. An A-labelled n-ary tree is a function T from an 
n-ary tree domain D to A. The nodes of T are the elements of D. The node 

A is called the root of T. If / £ D we call T{1) the label at node 1. If I £ D 

then the children of I in T are the nodes of T (if any) of the form I ■ i where 
i G {0, . . . ,n — 1}. Finite maxima in the prefix order on D are called leaves of 
T. 

An execution tree for agent i is a Fr^j-labelled binary tree, subject to the 
following constraints on the nodes 1: 

1. If I is labelled by e, a program variable Z G PV, a specification , a 

coercion [4>]^ , or an assertion then I is a leaf. 

2. If Hs labelled by a basic action a G A,, then I is also a leaf. 

3. If I is labelled by (P) then I has exactly one child I ■ 0, labelled by P. 

4. If I is labelled by P * Q or P Q then I has exactly two children I ■ 0, I ■ 1, 
labelled by P and Q respectively. 

5. If I is labelled by then I has exactly two children, I -0, I ■ 1, labelled by e 
and P * (P“ ) , respectively. 

With each program Pi G PrQi we associate a particular execution tree, Tp., 
namely the unique execution tree for agent i labelled with P, at the root A. An 
n-agent execution tree is a Prg U Ur=i P?' 5 j -labelled n-ary tree, subject to the 
same constraints on the nodes I as if it were an execution tree for some agent, 
except for condition 2, which is replaced by: 

2’ If I is labelled by (H’Li Pi) then I has exactly n children P 0, . . . , P (n — 1), 
labelled by Pi , . . . , P„ respectively. For each i G {1, . . . , n} the subtree rooted 
at P (i — 1) is an execution tree for agent i. 

With each n-agent program P G Prg we associate a particular execution tree, 
namely the unique n-agent execution tree labelled with P at the root A. 

Interval Sets. We now define the semantic constructs specified by programs. 
An interval in a system 5 is a triple r[c, d\ consisting of a run r of 5 and two 
elements c and dofN-|_ = NU{oo} such that c < d. We say that the interval is 
finite if d < oo. A set I of intervals is run-unique if r\c,d\,r\c' ,d'] G I implies 
c = c' and d = d' . An interpreted interval set over S (or Us for short) is a pair 
(tt, I) consisting of an interpretation tt of 5 and a run-unique set I of intervals 
over S. 
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We will view programs as specifying, or executing over, iis, by means of cer- 
tain mappings from execution trees to iis. To facilitate the definition in the case 
of sequential composition, we introduce a shorthand for the two sets obtained by 
splitting each interval in a given set I of run-unique intervals of S in two. Say that 
/ : I — )■ N-i- divides I whenever c < /(r[c, d\) < d holds for all r[c, d\ € I. Given 
some / dividing I, we write f^{I) for the set of intervals r[/(r[c, d\),d\ such that 
r[c,d\ e I. Analogously, we write /►(/) for { r[c, f {r[c, d\)] \ r[c,d\ G / }. 



Embeddings. Let 5 be a system, let (tt, I) be an iis w.r.t. S, and let Pi G Prg^ be 
a sequential program for agent i. A function 9 mapping each node I of Tp. to an 
iis {tt 0(1), I 0(1)) is an embedding of Tp. in (tt,/) w.r.t. S whenever the following 
conditions are satisfied: 

1. e{X) = { 7 r,I). 

2. If I is labelled e or {(P}q, then c = d for all r[c,d\ G /e(0- 

3. If I is labelled a for some a G A,, then, for all {h,a)[c,d\ & I0{1), if c < 00 
then both d = 1 + c and the ith projection of a{c) is a. 

4. If Hs labelled [0, '0]“'-, then, for all r[c, d] G de(0, if c < 00 and (S', 7re(/)), (r,c) |= 
0, then both d < 00 and (S, 7re(/)), (r, d) |= 0. 

5. If I is labelled [(p]^ , then c < 00 implies that c = d and (S, 7re(/)), (r, c) |= 0, 
for all r[c,d] G hit). 

6. If I is labelled 3 ip{Q) then ^0(1) ^0(1 ■ 0) and l0(l ■ 0) = l0(l). 

7 . If I is labelled Qi + Q2, then ^0(1 -0) = ^0(1 ■ 1) = tt0{1) and I0{1) is the 
disjoint union of I0{1 ■ 0) and I0{1 ■ 1). 

8. If I is labelled Qi * Q2, then ^0(1 -0) = ^0(1 ■ 1) = tt0{1) and there is an / 
dividing I0{1) such that I0{1 ■ 0) = /►(de(0) and I0{1 ■ 1) = f.^{l0{l)). 

9. If I is labelled then ^0(1 -0) = ^0(1 ■ 1 ) = tt0{1) and I0{1) is the disjoint 
union of I0{1 ■ 0) and I0{1 ■ 1) (as in case 7) and, for all r[c, d] G I0{1). 

d =\_\{d' I r[c',d'] £ I0{1 • m) for some leaf I - m of Tp below I }. 

We write S, (tt,/) Ihg Pi whenever 9 is an embedding of Tp. in (tt,/) w.r.t. S. 
Say that Pi oeeurs over (tt,/) w.r.t. S and write S, (tt,/) Ih Pi if there exists a 
9 such that S, (tt,/) Ih^ P,. (See [7] for further motivation on the definitions for 
single agent related notions.) 

Let P G Prg. A function 9 mapping each node I of Tp to an iis {tt 0(1), I 0(1)), 
respectively, is an embedding of Tp in (tt,/) w.r.t. S whenever the above condi- 
tions with the following replacement for condition 3 are satisfied: 

3’ If I is labelled by (iKLi Pi) then 9 {l ■ {i - 1)) = 9 {l) and S, 9{1 ■ {i - 1)) Ih Pi 
for all i G {1 , . . . , n}. 

Analogously to the single-agent case, we write 5, (tt,/) Ihg P whenever 9 is an 
embedding of Tp in (tt,/) w.r.t. S. Say that P oeeurs over (tt,/) w.r.t. S and 
write S, (tt, I) Ih P if there exists a 9 such that S, (tt, I) Ihg P. 
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3 Refinement 

The semantics presented above is a straightforward generalization of the seman- 
tics of [7] which corresponds to the special case n = 1. That paper also contains 
an example illustrating the need for sets of intervals instead of single intervals 
in the definition of program semantics. In the context of knowledge-based pro- 
grams, the need for sets (in that case of runs, not intervals) has been observed 
by Moses in his thesis [21] and is discussed by Halpern [12]. 

Traditionally, a program P refines another program Q whenever the use of 
P does not lead to an observation which is not also an observation of Q [10]. A 
refinement relation of this type, when it is transitive and preserved under pro- 
gram composition, allows us to start with a high level specification and derive a 
concrete implementation through a sequence of refinement steps. The properties 
of the refinement relations then guarantee that the final stage of the derivation 
refines the initial stage. 

The standard approach to define a refinement relation based on our seman- 
tics is to identify the notion of observation with occurrence, that is to say that 
P refines Q, denoted P Q Q, when for all systems S and iis (tt,/) over S, if 
Ih P then 5, (tt,/) Ih Q. While having both desired properties, this 
refinement notion is insensitive to assertion statements because the semantics 
cannot distinguish between programs that differ only in their assertions. Asser- 
tions are meant to play an important role in our refinement rules: they should 
allow us to specify assumptions about the context a program fragment is used 
in. 

3.1 The role of assertions 

We now briefly summarize the role of assertions {(I>}q in the framework and 
define the associated semantic notions. The reader is referred to [25] for a more 
detailed explanation of these ideas in a simpler setting and to [7] for additional 
refinement rules. 

Constraint erasure. In order to capture constraint dependencies, we firstly define 
for each program P and constraint tag set C C CT a program pI*"! that is the 
same as P, except that only constraints whose tags are in C are enforced: all 
other constraints are relaxed. We formally obtain pl*^! from P by replacing 
each occurrence of a coercion where X ^ C hy e, and also replacing each 
occurrence of a specification [^, V']^ where X ^ C in P by [false, tru^^ in pI*"!. 

Program validity. Secondly, we may now define a program (regardless of whether 
it is a sequential program or an n-agent program) P to be valid with respect to 
a set of interpreted systems S (and write \=s P for this) when for all assertions 
in P, all interpreted systems (5, tt) € S and all run-unique interval sets 
I over S, all embeddings 9 of Tp[c] into S, (/, tt) have the property that for all 
i e {1, . . . ,n} and nodes I of Tpjci labelled with {(I>}q, we have S,6i{l) Ih [(()]. 
Thus, validity can be understood as a kind of generalized partial correctness. We 
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define validity with respect to a set of interpreted systems S to allow assump- 
tions concerning the environment to be modelled, e.g., S might be the set of all 
interpreted systems in which actions have specific intended interpretations. We 
give an example of this in Section 4. 



Justification transformations. To define a refinement notion that only allows one 
to derive valid programs from valid programs, we first need to define a technical 
notion. A justification transformation is a mapping rj : CT — > 2*^^ that satisfies 
X e r]{X) for all X € CT. In some definitions in the sequel we make liberal use 
of the pointwise extension of justification transformations: r]{C) = r]{X). 

For instance, the result of applying a justification transformation to a program 
P is the program Pr] obtained by replacing each instance of an assertion {(P}q 
in P by the assertion . 

The composition of two justification transformations, rj and rj' , is defined by 
r^oT]' = \X : CT.r]'{r]{X)). 

The identity justification transformation AW : CT.{X} is denoted by l. We 
will also represent justification transformations using expressions of the form 
X ^ D, where X € CT and D C CT . Such an expression denotes the justifica- 
tion transformation that is everywhere as t, except for on W, which is mapped 
to {W}U£). 

Valid refinement. Let 5 be a set of interpreted systems, let rj he & justification 
transformation and let P and Q be sequential programs for agent i. We say 
that P validly refines Q in S under rj, and write P Q, if for all programs 
R e Prg and program variables Z € PVi, if R[^ / z] is valid with respect to S 
then Rrj[^/z] is valid with respect to S, and for all (S', tt) € S and run-unique 
interval sets I over S, if S, (tt, I) Ih Rr][^ fz] then S, (tt, I) Ih R[^ /z]- 

An analogous definition fixes the notion of an n-agent program P validly 
refining Q € Prg. The only other change in the previous paragraph is that 
program variable Z must now be drawn from PV. 



3.2 Valid Refinement Rules 

We now present a number of rules concerning valid refinement that are sound 
with respect to the semantics just presented, making no attempt at completeness. 
We focus on rules concerning n-agent programs, and refer to [7] for additional 
rules concerning the sequential programs, which are also sound in the framework 
of the present paper. Formally, most rules should come in two versions: one for 
sequential programs and one for n-agent programs, but in many cases the two 
will be identical but for typing of the components, so we generally omit the 
distinction. 

Two rules are essential ingredients of any refinement calculus. Valid refine- 
ment must be transitive and the program constructs must be monotone w.r.t. 
the valid refinement order. These two rules make it possible for refinement to be 
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broken down into a sequence of steps that operate on small program fragments. 

P<tQ, Q<t'R 

P <U' ^ 

P<^,Q 

Rvl^z] R[Q/z] 

One advantage of our model is that specifications can be split using any of the 
composition operators +, *, and ||. 

iS 1= V ^2 1/' 

iS 1= ^ V ^2 , iS 1= V ^2 t/' 

if -^1 4 >i then else [<t>2,il^2\^^ fi <jc^{XuX2,x^} 

\4>i4>']^^ * [4> — x^{xi,x2> 

s 4> ^ Kl=i4>i, s \= M=i'>Pi ^ 

The execution of many distributed programs can be meaningfully split into 
several phases. Specifying, or reasoning about, such programs is potentially sim- 
plified if one can do so on a phase-by-phase basis. Instead of reasoning about the 
parallel composition of local programs each of which comprises of a sequence of 
phases, it is usually much easier to reason about the sequential composition of 
several global phases, each of which is an n-agent program. Such phased reason- 
ing would be supported by a rule of the form 

(.wtiiPi^Qi)) <f (iir=i * (iir=i Qi) 



-b- spec 

if-spec 

*-spec 

||-spec 



trans 



mon 



Refinement rules reflecting this proof principle do not hold without side condi- 
tions on Pi), Qi), and S (though the converse holds unconditionally.) 
One such condition is that all the intervals in the iis over S over which some Pi 
occurs have the same length.^ Say that a program P has length I in S whenever, 
for each (5, tt) € S, for each run-unique set I of intervals over S, if S, (tt, I) Ih P, 
interval r[c,d] € I, and c is finite, then I = d — c. We say that P has eonstant 
length in S if there exists I € N+ such that P has length I in S. 



all Pi have the same length in S 

i\\tiiPi*Qi)) <f (ll”.i * (ll”.i Qi) 



-distribute-* 



Having constant length is a semantic condition. A sufficient (but not necessary) 
syntactic condition is that the program does not contain any specification state- 
ment, iteration, or choice. This can be relaxed in various ways. For instance, 

® Another such side condition in the literature is that each phase is communication- 
closed [5]. This means that there is no communication across phase boundaries. The 
communication-closed layers rule is tailored to an asynchronous setting, rather than 
our synchronous framework. 
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choice P + Q itself is not problematic if both P and Q have the same length 
in S. Similarly, iteration has constant length if P does and the number of 
iteration is fixed, e.g., in the style of a for-loop. 

4 Example: Two-Phase Commit 

To illustrate our framework we consider a problem from the area of distributed databases. 
Two- and three-phased commit protocols have previously been considered (though less 
formally) from a knowledge-based perspective in [11,22, 16]. 

Problem. Suppose n agents collaborate on a database transaction. After each of the 
agents has done its share of the transaction, they want to come to an agreement on 
whether to commit the transaction for later use of the result by other transactions. 
Each agent can be assumed to have formed an initial vote but not yet made a final 
decision. All that remains to be done is to ensure that no two agents make different 
decisions. The only faults considered in this example are crashes — communication is 
assumed reliable. The presentation is inspired by [4, 17]. 

Informal specification. The requirements on an atomic commitment protocol are 
typically stated as follows: 

1. All agents that reach a decision reach the same one. 

2. If an agent decides to commit, then all agents voted to commit. 

3. If there are no failures and all agents voted to commit, then the decision reached 
is to commit. 

Algorithm. The standard solution to this problem is called two-phase commit (2PC). 
One distinguished agent, say, agent 1, collects the other agents’ votes. If all votes 
(including agent I’s) are “commit” then agent 1 tells all other agents to commit, 
otherwise, to abort. Note that “otherwise” could also mean that some agent crashed 
before being able to communicate its vote to agent 1. 

The first phase thus consists of all agents telling agent 1 their individual votes and, 
if they are in favour of aborting, deciding to do so. In the second phase the agents learn 
(if they haven’t done so already because their vote was “abort” ) what to decide. 

Assumptions about S. Agent i’s vote is modeled as the value of a local Boolean 
variable, «*, which is either true (for “commit”) or false (for “abort”). Agent i’s decision 
di has one more option, it could also be _L (for “undecided”). Agents never change 
their initially held votes. Initially, agents are undecided. Once they decide, they cannot 
change their decision. Each agent i = 2, . . . , n has a three- valued variable c* in which 
it can receive a message from agent I. Agent I also has a set of three- valued variables 
m 2 , . . . ,m„ in which it receives information from the other agents concerning their 
vote.'* Initially, each m* has value _L. 

Agents have available the following actions. The environment is used to model the 
fact that all these actions have a non-deterministic effect on the state. When an action 
is performed, it either has its intended effect on the state, or (at the discretion of the 

■* One could of course, use a richer modelling of communication, such as message 
buffers, but this simple approach suffices for our illustrative purposes. 
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environment) the agent crashes, and the action has no effect on the state. Once an 
agent has crashed, it is crashed at all subsequent states, so its actions have no effect. 
We describe just the intended effects below. All agents can perform the null action A, 
which has no effect. Each agent i also has the action dcdi{v), where w is a truth value, 
the intended effect of which is to set di equal to v. In addition to these actions, agent 1 
can perform the action bcsti{v), where w is a truth value. The action bcsti{v) has the 
intended effect of setting all the variables c* equal to the value of v. Each agent i can 
perform the action sndj,i(w), where w is a truth value. The intended effect of this is to 
set agent I’s variable m* equal to v. 

The environment has a set of actions crash{F), where F is a subset of {1, ... ,n}, 
which it uses to crash the agents in F, making the proposition fj true for agents i € F. 
Initially, fi is false. Crashes are non-recoverable: once it has perfomed crash{F), the 
environment always performs crash{F’) for some superset F’ of F, so that once crashed, 
an agent i € F remains crashed (and the proposition fj remains true.) 

Due to space restrictions, we restrict ourselves to this rather informal description 
of S. One of the strengths of the full calculus is that each formal description of the 
set of target systems generates a set of tailor-made refinement rules. (See [7] for some 
detail.) 



4.1 Sketch of a 2PC protocol derivation 

The point of departure of this derivation is an assertion followed by a single specifica- 
tion. The assertion expresses that this program should only be used in contexts that 
guarantee that the program is started in an initial state. The specification statement ex- 
presses that the program should take the agents from an initial state to a state satisfying 
the informal specification above. The precondition of the initial specification expresses 
that no agent has received a message and that no agent has decided. Let us abbreviate: 
none voted NV = — -L)> none received broadcast NB = = -L), and 

none decided ND = = T). 

Init = NV A NB A ND . 

Note that we do not assume that all agents are alive. The postcondition of the initial 
specification is 3d(F) where 

7^ ^d) A (d ^ AC) A (AC A NF ^ • 

In the postcondition, each of the three conjuncts corresponds to one of the informal 
requirements stated above. One of the first refinement steps will split the specification 
into two phases. The challenge there is to find a good intermediate assertion. To mo- 
tivate our choice of intermediate assertion, we note the following informal argument. 
Intuitively, we would like the first phase of the protocol to consist of each agent in- 
forming the coordinator of its vote, so that by the end of the first phase, assuming 
there have been no failures, if all agents vote to commit then by the end of the first 
phase the coordinator knows this. That is, we would like to make true the formula 
NF A AC — )■ FiAC, in which we employ the abbreviations none failed NF = Ar=i“'t* 
and all commited AC = true. Recall from the discussion above that KiAC 

is equivalent to 3ip(p A Nec(p — )■ AC)), i.e., the agent knows that AC if some sound 
1-local test p for AC is true. This motivates rewriting the intermediate assertion as the 
following slightly stronger formula 

# = (NF A AC p) A (p AC) A ND 




A Refinement Theory That Supports Reasoning about Knowledge and Time 137 



where we have dropped the necessity operator, because the formula as a whole will 
be implicitly given a neccessity-like force by placing it in a specification construct. To 
capture that the proposition p in the intermediate assertion is required to be 1-local, 
we add a quantifier as the first refinement step. 

{Init}^ 2 } * [Init,3d('?)]^ 

>f (instance of axiom: 3ip (P) <f P, for p not free in P ) 

3ip ({Initj^^j * [Init, 3d 
(*-spec) 

3ip (^{Initj^^j * [Init,<?]^ * 

For the moment, let us treat the two phases separately, beginning with the first. After 
this first phase the obvious candidate expression for p is the accumulated vote AV = 
(wi A Ar=2(”*» = true)). 

{Initj^^j * [Init,<?]^ 

>x<^{x'} (instance of axiom: [ip]^ <y^{x} ) 

{Init}^2} * Pnit,<P[^’^/p]]^ * 

>f (specification consequence) 

[init,<5r/p]]^ * * [^f 

To apply the parallel decomposition rule ||-spec one has to show that in S the con- 
junction of the local postconditions implies the original n-agent postcondition 
which, in this instance, is straightforward. To abbreviate the connection between crashes, 
messages, and votes, let us employ the abbreviation CMV* = ((fi — )■ (m* = J_)) A 

(-ifi -t {mi = Vi))). 

>f (ll-spec) 

([Init,di = _L]^ II ||”^ 2 pnit,CMVi A {di = _L)]^) 

>f (exploit S to implement local specifications with basic actions) 

(All 11:^2 sndiAvi)){^[^^ / a] 

Let us now consider the development of the second phase of the program. The intu- 
ition here is that the coordinator broadcasts its knowledge of the outcome of the vote 
and then decides. Each remaining agent i has two options: either it already voted to 
abort, and thus knows that the only possible decision is to abort, or it voted to commit 
and has to wait for the broadcast message from agent 1 before it decides according to 
that message. Consequently the next refinement step is another sequential decompo- 
sition. The intermediate assertion states that, unless agent 1 failed, each 

uncrashed agent received the broadcast prospective decision: 

<)>'i = (di = _L) A Ar=2((ti V ti Ci = _L) A (-.(ti V to ~^Ci= p)) 
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It also states that each uncrashed agent i = 2, . . . ,n that voted to abort decided so 
already: 

<!>'i = (ti V {di = _L)) A (-.(ti V Vi) ^di) 

The derivation proper follows. 

(*-spec) 

>f (introduce assertion) 

>f (specification consequence) 

Let us focus on the first half of the second phase and proceed by parallel decomposition. 

>f (ll-spec) 

>f (n — 1 times if-spec) 

[<P]^ ([#, II ||"^2 ^ then [~^Vi A $, <)>']^ else [vi A <P, <)>']^ fi) 

>f (exploit S to implement specifications by basic actions) 

(bcsti{p) II ||"_2 if ^ -i«i then dcdi{false) else A fi) 

In the second half of the second phase all uncrashed yet undecided agents decide. 

>f (strengthen postcondition) 

>f (ll-spec) 

(di + -p) A (p ^ AC) A (AC A NF ^ di)f' 

>f (n — 1 times if-spec) 

[#', (di ^ -,p) A (p AC) A (AC A NF di)]^' || 

||",^2 ^ ~^di then [-idi A <?', {di ^ ->p) A (AC A NF — )• di)]^ 

else [{di ^ false) A d>' , {di ^ ->p) A (AC A NF — )• dj)]^ fi 

>f (exploit S to implement a specification by a basic action) 

dcdi{p) II ||"_2if^ -idi then A else dcdi{ci) fi 
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Finally, we have to tie the phases together and get rid of the local propositional quan- 
tifier. 



{Initj^^j * [Init,3d(<P')]^ 

>f (by the above and mon) 

({A II ||:L 2 sndiAvi)) * * \ 

3 iP I {bcsti{p) II ||”^2 ^ ~'‘Vi then dcdilfalse) else A fi) * 

\(dcdi(p) II ||”_2if^ -idj then A else dcdi(ci) fi) / 

This leaves us with a program that is concrete except for the coercion defining p. This 
can the be eliminated by pushing the existential quantifier first around this coercion, 
then inside it, and noting that what results is a tautology, so the coercion can be 
eliminated. 



>f (p not free in parts of the program) 

(All ||:L 2 snd,Avi))*{<l>[^^/,]}^,^^y* 

^ p f * {bcsti{p) II ||”_2 if ^ -iVi then dcdi{false) else A fi) * 

\ (dcdi(p) II ||”^2if^ -idj then A else dcdi(ci) fi) 

>f (instance of axiom: [3ip(Nec(<() =p))]^ (-P['*/pD 3ip(P)) 

(A II ||:L2 [ 3 ip(Nec(p = AV))]^ [^r/p]]^' 

{bcsti(AV) II ||”_2 if ^ -<Vi then dcdi{false) else A fi) * 

(dcdi(AV) II ||”^2 ^ then A else dcdi{ci) fi) 

>f (all variables in AV are 1-local in S, eliminate coercion) 

(A II ||:L 2 snd.Avi)) * {^r/p]}^^,^> * * 

( 6 csti(AV) II ||”_2 if ^ -<Vi then dcdi(false) else A fi) * 

(dcdi(AV) II ||”^2 ^ then A else dcdi{ci) fi) 

(eliminate coercion) 

(A II ||"^2 sndi,i{vi)) * 

{bcsti(AV) II ||”^2 ^ then dcdi{false) else A fi) * 

(dcdi(AV) II ||”_2 if ^ ^di then A else dcdi{ci) fi) 

We have now arrived at a concrete program implementing the specification for agent 
i. While sketchy and a little tedious, the derivation does serve to highlight a number 
of key features of the framework: the role of reasoning using assertions and coercions, 
and the use of i-locality assumptions to arrive at conclusions about agents’ knowledge. 

>f (twice ||-distribute-* using that all basic actions have length 1) 

{A* bcsti{AV) * dcdi(AV)) || 

„ / sndi^i(vi) * if ^ -iVi then dcdi(false) else A fi * \ 

\if ^ ~^di then A else dcdi{ci) fi / 

>f (exploit S to merge the two conditionals) 

(A * bcsh (AV) * dcdi (AV)) || 

||”^2('S”^hi ('*^i) * if ^ ~'Vi then dcdi(false) * A else A * dcdi{ci) fi) 
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Observe that the program obtained is only one of many possible implementations of 
the specification w.r.t. S. Another — in a sense the weakest — program satisfying the 
specification is one in which there is no attempt made to have agents abort when they 
know that this is what the decision is going to be but another agent has failed. At the 
other end of the spectrum, one could implement the specification by 3-phase commit, 
that is, an extension of 2PC that ensures that no uncrashed agent will block. 



5 Conclusion and Future Work 

We have sketched the main features of an extension of our compositional refine- 
ment calculus to multiple agents. It incorporates an assertion language strong 
enough to express temporal and epistemic notions. The example sketched in Sec- 
tion 4 was chosen to illustrate the use of the new rules, not those carried over 
from the single-agent calculus. 

In future work, we plan to explore variants of the framework with less rigidly 
synchronous and fully asynchronous semantics. 
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Abstract. We present the disconnection tableau calculus, which is a 
free- variable clausal tableau calculus where variables are treated in a non- 
rigid manner. The calculus essentially consists of a single inference rule, 
the so-called linking rule, which strongly restricts the possible clauses in 
a tableau. The method can also be viewed as an integration of the linking 
rule as used in Plaisted’s linking approach into a tableau format. The 
calculus has the proof-theoretic advantage that, in the case of a satisfiable 
formula, one can characterise a model of the formula, a property which 
most of the free- variable tableau calculi lack. In the paper, we present a 
rigorous completeness proof and give a procedure for extracting a model 
from a finitely failed branch. 



1 Introduction 

In the last years considerable progress has been made in the development of 
tableau-based proof systems for automated deduction. While the tableau frame- 
work always was very influential in proof theory and in the development of logics, 
particularly non-classical ones, it had almost no influence on automated deduc- 
tion in classical logic. This changed about ten years ago, when it was recognised 
that it is more natural to view automated deduction calculi like model elimina- 
tion or the connection method as particular refinements of the tableau calculus. 
The central new feature of those refinements is the active use of connections as a 
control mechanism for guiding the proof search. This view had a very fruitful ef- 
fect on the research in the area. In the meantime, many proof systems developed 
in automated deduction have been reformulated in tableau style. Furthermore, 
new calculi have been developed which are based on tableaux and integrate con- 
nections in different manners. Currently, some of the most powerful theorem 
proving systems are based on tableaux with connections. 

The main objective in the use of connections is to avoid the blind applica- 
tion of the 7 -rule used in Smullyan’s tableau system |Smii68] . Instead one uses 
the substitutions that are induced by the connections in the formula. Since, in 
general, such substitutions are not ground, this requires the introduction of free 
variables in tableaux. The question then is how to treat these free variables? 
The overwhelming majority of the developed free- variable tableau calculi (e.g., 
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[IFitQBJ . fLMGQdp treat free variables as rigid in the sense that a free variable 
X is just treated as a placeholder for a single yet unknown (ground) term t. 
And during the tableau construction this term is successively approximated by 
applying substitutions to the variable x. The resulting tableau calculi are de- 
structive |Let99| in the sense that they not only have expansion inferences as 
in Smullyan’s system but also modification inferences. The negative side-effect 
is that these calculi lack a fundamental property of Smullyan’s tableau method, 
namely, the possibility of branch saturation. But branch saturation is one of the 
most appealing features of traditional tableau calculi, since it permits the ex- 
traction of models for certain satisfiable formulae. With the new calculi, model 
generation is impossible. Also, the decision power of free-variable tableau sys- 
tems is significantly weakened. 0 These negative consequences of free-variable 
tableau calculi have not sufficiently been recognised so far. 

In IMM], an alternative clausal free- variable framework is presented, the dis- 
connection method. In its tableau format, the method treats a free variable not as 
rigid but as universally quantified wrt. the respective clause in the tableau. Un- 
fortunately, in [Bil96j many questions concerning the properties of the method 
remain unanswered. So the completeness proof is only sketched and the problem 
of model generation is not addressed. In the current paper we give a rigorous 
presentation of the disconnection tableau calculus, as we term it. This includes 
an elaborated completeness proof. The main emphasis of this paper is on issues 
of model generation. We develop some new concepts like an instance-preserving 
enumeration of a tableau branch and its associated Herhrand path, which per- 
mit the convenient extraction of Herbrand models from open saturated tableau 
branches. As we will demonstrate, these concepts permit a compact representa- 
tion of Herbrand models. 

The paper is organised as follows. Following this introduction. Section |2] 
motivates the disconnection calculus, defines the required notation and provides 
an intuitive as well as a formal description of the disconnection calculus. Then, in 
Section |3]we show how the branch saturation property of our calculus can be used 
to extract models from saturated branches. Subsequently, the completeness of 
the disconnection calculus can be proven in a straightforward manner in Section 
2] Section [5| shows how the calculus can be strengthened wrt. deductive power 
and, finally, in Section El we give an assessment of our work and address future 
perspectives. 



2 The Disconnection Tableau Calculus 

The disconnection tableau calculus was first developed in |Bil96J . Essentially, this 
proof system can be viewed as an integration of Plaisted’s clause linking method 
[IPL92J into a tableau control structure. Therefore, in order to comprehend the 

^ For example, Fitting’s free-variable tableaux |Fit96) provide no decision procedure 
for the Bernays-Schoenfinkel class |DG79) . unless very rough external criteria like 
maximal path lengths are used, whereas with a slight modification Smullyan’s orig- 
inal tableau method decides the class (see ILeiggp . 
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disconnection tableau calculus, it is instructive to first briefly review the most 
important features of the clause linking method. This method is in the spirit of 
the first theorem proving procedures developed in the sixties, which where direct 
applications of Herbrand’s approach to proving the completeness of first-order 
logic (see |DP60p . Such Herhrand procedures consist of two subprocedures, a 
generator for sets of ground instances and a propositional decision procedure. For 
some decades this methodology was not pursued in automated deduction, mainly 
because no guided method of ground instance generation existed. The linking 
mechanism (and its hyperlinking variant) integrate unification into the process 
of ground instantiation, thus making the ground instantiation more controlled. 

Before describing the proof method, we need to introduce some terminology. 
As usual, a literal is an atomic formula or a negated atomic formula. A clause 
is a finite set of literals; occasionally, we will also display clauses as disjunctions 
of literals. A literal occurence is any pair (c, 1) where c is a clause, I is a literal, 
and I G c. 

Definition 1 (Link, linking instance). Given two literal occurences (c,l) and 
{(f,->l'), if there is a unifier a of I and -•I't where t is a renaming of c' such 
that c't is variable-disjoint from c, then the set £ = {(c, ?), (c', -i/')} is called a 
connection or link (between the clauses c and c'). The clause ca is a linking 
instance of c wrt. the connection £. 0 

Instead of guessing arbitrary ground instances of clauses as in the theorem 
proving procedures of the sixties, one can restrict oneself to linking instances 
(or hyper linking instances) wrt. the connections in the iteratively increasing 
clause set. Additionally, from time to time, the current clause set is tested for 
propositional unsatisfiability. Before this test, the clause set is grounded, i.e., all 
variables are replaced by one and the same constant. If the unsatisfiability test 
succeeds, then this obviously demonstrates the unsatisfiability of the original 
clause set. 

One of the strengths of the clause linking method is that it avoids the so-called 
duplication problem in resolution, which means that the unresolved parts of a 
parent clause c are duplicated over and over again in resolvents derived from c. 
One of the main weaknesses of the clause linking method is that the propositional 
decision procedure is separated from the generation of the linking instances. And 
the interfacing problem between the two subroutines may lead to tremendous 
inefficiencies. The disconnection tableau method provides an intimate integration 
of the two subroutines. This is achieved by embedding the linking process into 
a tableau guided control structure. As a result of this embedding, no separate 
propositional decision procedure is needed and the number of produced linking 
instances can be significantly reduced. For describing the disconnection tableau 
method, we need the following notions. 

^ There is also a hyperlinking variant, which requires that each literal k in the clause 
c has a link with substitution Ui; the hyperlinking variant of c is ca where a is the 
composition of the substitutions ai. 
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Definition 2 (Path). A path through a clause set S is any total mapping 
P : S ^ [j S with P{c) € c, i.e., a set containing exactly one literal occurence 
(c, 1) for every c € S. The set of literals of P is the set of all I such that (c, 1) in 
P. A path P is complementary if it contains two literal occurences of the form 
(c,l) and {c',->l), otherwise P is called consistent or open. 



Definition 3 (Tableau). A tableau is a (possibly infinite) downward tree with 
literal labels at all tree nodes except the root. Given a clause set S , a tableau for 
S is a tableau in which, for every tableau node N , the set of literals c = l\, . . . ,lm 
at the immediate successor nodes Ni, . . . , of N is an instance of a clause in 
S; for every (1 < i < m), c is called the clause of N^. With every tableau 
node Ni the literal occurence {c,lf) will be associated. Furthermore, a branch of 
a tableau T is any maximal sequence B = Ni, N 2 , N^, . . . of nodes in T such that 
Ni is an immediate successor of the root node and any is an immediate 

successor of Ni. With every branch B we will associate a path Pb, viz., the set 
of literal occurences associated with the nodes in B. 

The specific feature of Billon’s disconnection tableau calculus |Bil96| is that 
it starts the construction of a tableau wrt. to a path through the set S of input 
clauses, which we call the initial path Ps. Ps can arbitrarily chosen but remains 
fixed throughout the entire tablau construction. The disconnection tableau cal- 
culus consists of a single complex inference rule, the so-called linking rule. 

Definition 4 (Linking rule). Given an initial path Ps and a tableau branch 
B with two literal occurrences (c,l) and {c' ,~>l') in Ps U Pb, such that i = 
{{c, 1) , {c' , -il')} is a connection with unifier a, then 

1. expand the branch B with a linking instance wrt. i of one of the two clauses, 

say, with ca, 

2. below the node labeled with la, expand the branch with a linking instance wrt. 

I of Fa. 

In other terms, we perform a clause linking step and attach the coupled 
linking instances below the leaf node of the current tableau branch. Afterwards, 
the respective connection must not be used any more below the node on any 
extension of B, thus ’’disconnecting” the connected literals. This last feature 
explains the naming disconnection tableau calculus for the proof method. 

As branch closure condition, the standard tableau closure condition is not 
sufficient, but the same notion as employed in the clause linking method can be 
used. 

Definition 5 (Closure). A tableau branch B is closed if its associated path is 
complementary. B is closed wrt. a term t, t-closed for short, if B becomes closed 
when all the variables in the literals on B are substituted by the term t. B is 
universally closed, V-closed for short, if B is t-closed for any term t; if B is not 
F-closed it is called open. 
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Fig. 1. Illustration of a linking step. 



That is, a branch of a tableau is V-closed if it contains two literals I and k 
such that W is the complement of k6 where 6* is a substitution identifying all 
variables in the tableau. Applied to the tableau in Figure [H this means that 
after the linking step at least the middle branch is V-closed, as indicated with 
an asterisk. 

The disconnection tableau calculus then simply consists of the linking rule 
plus a rule for the selection of an initial path applicable merely once at the 
beginning of the proof construction. The calculus is sound and complete for any 
initial path selection, i.e., a clause set S is unsatisfiable if and only if, for any 
initial path Pg, there exists a finite disconnection tableau T for S and Ps such 
that all branches of T are V-closed (or t-closed for an arbitrary term t). Both 
notions of closure can be used, but using t-closure may lead to shorter proofs 
if the respective term is selected in a fortunate manner. We will present all our 
results for the weaker notion of V-closure, since then they automatically hold for 
the t-closure case. 

Definition 6 (Disconnection tableau sequence). Given a set of clauses S 
and an initial path Ps through S, a disconnection tableau sequence for S and 
Ps is any (possibly infinite) sequence T = To,Ti,T 2 , . . . satisfying the following 
properties: 

— To is the trivial tableau consisting just of the root node, 

— any T^+i in T can be obtained from Ti by application of a linking step. 

Any tableau in T is called a disconnection tableau for S and Ps- 

Figure [21 displays a V-closed disconnection tableau for the clause set consist- 
ing of the transitivity clause {P{x, z),-<P{x,y),-'P{x, z)}, and the three unit 
clauses {P{c,b)}, {P{a,b)}, and {-•P{a,c)}. As usual, upper-case letters denote 
predicate symbols, lower-case letters from the end of the alphabet like x,y, z 
denote variables, the other function symbols. The selected initial path passes 
through every clause at the first literal position. In the figure, we have shown 
the set of input clauses, with the initial path marked, in a box at the beginning 
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of the actual tableau. We have also depicted the connections as arcs, and imme- 
diately before every linking instance c in the tableau we have annotated from 
which connection c derives. 




Fig. 2. A V-closed disconnection tableau. 



As usual, a pure calculus is nothing without refinements. The most important 
of these for the disconnection tableau calculus is the following. 

Definition 7 (Variant freeness). A disconnection tableau T fs variant-free if, 
for no node N with clause c in T, there exists an ancestor node N' in T with 
clause d such that c and d are variants of each other, i.e., c can be obtained 
from d by renaming its variables. (It should be noted that this restriction does 
not extend to the initial path.) 

With this refinement the disconnection framework can be used for proving 
the satisfiability of certain clause sets, and from the respective tableau a model 
for S can be extracted, as we shall demonstrate in the next section. In the 
following, we assume all disconnection tableaux to be variant free. In order to 
illustrate the decision power of the disconnection calculus, we give a very simple 
satisfiable clause sets, which is very hard for other calculi. For example, none of 
the generally successful theorem provers based on resolution or model elimination 
terminate. The clause set is displayed on the left-hand side of Figure [Sj It is 
obtained from the clause set displayed in Figure [2] by two simple modifications. 
First, we have exchanged the positions of the constants b and c in the unit clause 
P{b, c), which makes the set satisfiable. Furthermore, we have switched the signs 
of the literals, which does evidently not change the logic. El 

® But it significantly changes the behaviour of resolution systems, for example. With- 
out the second modification, since the set is Horn, we can use unit resolution, which 
terminates on this set. 
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^P{a,z) P{a,b) P{b,z) 

* * 

Saturation 

state 



An instance preserving 
enumeration of branch B : 



^P(c, b) 



P{a,c) 



-iP{a,c) \/ P(a,b) V P(b,c)\ 



-iP{a,z)V P{a,b)V P{b,z) 



-iP(o, c) V I P{a,y) I V P{y, c) 
-iP(6, c) V I P(6, ?/y j V P{y, c) 



-iP(b,z)V P{b,y) V P{y,z) 



nP(a,z)V P(a,y) VP{y,z) 



■^P{x, z) V P(x, y) V P(y, z) 



Fig. 3. A saturated open branch and an instance-preserving enumeration. 



When considering the branch B in the tableau, we observe that any further 
linking step on B produces a variant of a clause already on the branch. This 
proves the satisfiability of the set of input clauses. In fact, the disconnection 
tableau method is a decision procedure for the class of finite clause sets without 
function symbols of arity > 0, which corresponds to the Bernays-Schoenfinkel 
class (DG791. 

3 Model Extraction from Disconnection Tableanx 

In [Bil96] only a sketch of a completeness proof is given and the problem of 
extracting a model from the failed construction of a V-closed tableau is left 
open. In this paper, we address both topics. We present a full and self-contained 
completeness proof which is different from the approach in [IBil96j . For example. 




Proof and Model Generation with Disconnection Tableaux 



149 



we do not need auxiliary concepts like the connective depth as used in p3il96] . 
Furthermore, we show how a Herbrand model can be extracted from such a failed 
tableau construction. Since the completeness proof uses the model property, we 
start with the part concerned with model generation. 

We employ the following notions. The Herbrand set S* of a set of clauses S is 
defined as usual, i.e., a clause c is in S* if and only if c is a ground instance of a 
clause in S wrt. the Herbrand universe of S. As usual, a Herbrand interpretation 
for S can be viewed as a set I of literals containing, for each atom A in the 
Herbrand base of S, exactly one of A or -<A. The set / is a Herbrand model for 
S if there is a path P through the Herbrand set S* of S such that the set of literals 
in P is a subset of /. For completeness and model generation, it is even more 
elegant to work with partial Herbrand interpretations and models. Any subset I 
of an Herbrand interpretation for S is called a partial Herbrand interpretation. I 
is a partial Herbrand model for S if all Herbrand interpretations for S which are 
supersets of I are Herbrand models for S. Obviously, the following proposition 
holds. 

Proposition 1. The set of literals Ip of any consistent path P through the 
Herbrand set S* of a set of clauses S is a partial Herbrand model for S, and any 
partial Herbrand interpretation I A Ip is a partial Herbrand model for S . 

An appealing feature of the disconnection tableau calculus is that it provides 
us with a natural representation of partial Herbrand models for any saturated 
tableau branch B which is not V-closed or t-closed. Under certain circumstances 
this representation may be more compact than just explicitly specifying a partial 
Herbrand model as a set of ground literals. The idea which permits such a 
representation is to enumerate the literal occurences of a branch in an order 
which respects the instance relation of the contained clauses. This is formalised 
with the following notions. 

Definition 8 . Given any set of literal occurences P , an instance-preserving enu- 
meration of P is any sequence P = Li, P 2 , T 3 , . . . in which exactly the elements 
of P occur and in such an order that, for any Li = {ci, If) and Lj = {cj, If) , when 
Ci is a proper instance of Cj, then i < j ■ Let, furthermore, S* be the Herbrand set 
of the clauses occuring in P. Then, with any instance-preserving enumeration E 
of P, we associate a path P* through S* as follows: a literal occurence (c, 1) is 
in P* if and only if there is a literal occurence Lk = {ckfk) in- E and there is 
no Lj = {cj,lj) with j < k in E such that c is an instance of Cj; we term Lk 
the minimal matcher in E of the clause c. The path P* is called the Herbrand 
path of E and an Herbrand path of P. 

In case the Herbrand path P* of such an enumeration E is consistent, then 
the set of literals of P* is a partial Herbrand model. As an example, consider the 
sequence E of literal occurences displayed on the right-hand side of Figure El E is 
an instance-preserving enumeration of the open tableau branch on the left-hand 
side. The set of literals of its Herbrand path is 



{-■P(c, b),^P{a, b),P{a, c),P{b, c),P{b, a),P{b, b),P{a, a),^P{c, a),^P{c, c)} 
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which is an Herbrand interpretation for S. This technique has similarities with 
Baumgartner’s exception rule [BauOO] and with Peltier’s method [Pel99] of an- 
notating clauses with equational constraints. However, due to lack of space we 
cannot present a detailed comparison in this paper. 

For the generation of models, we have to formalise the notion of a tableau 
which cannot be V-closed. In contrast to tableau calculi like connection tableaux 
| |LMG94| or Fitting’s free- variable tableaux | Fit96| . the disconnection tableau 
calculus is nondestructive, i.e., any inference step performs just an expansion 
of the previous tableau and any tableau of a disconnection tableau sequence T 
contains all tableaux with smaller indices in the sequence as initial segments. 
This permits that we can form the union IJ T of all tableaux in T. In the case of 
a finite sequence, |J T is just the last element in the sequence. In general, (J T 
may be an infinite tableau. We call |J T the tableau of the sequence T. 

Definition 9 (Saturation). A branch B in a (possibly infinite) tableau T is 
called saturated if B is open and cannot be extended in a variant-free manner by 
the linking rule. The tableau IJ T of a disconnection tableau sequence T is called 
saturated if either all its branches are closed or it has a saturated branch. 

As a final preparation of the main result of this section, we mention the 
following straightforward property of disconnection tableaux. 

Lemma 1. Let B be a saturated branch in a disconnection tableau. If B contains 
a node Ni with literal I and clause c and a node N 2 with literal -'I' and clause c' 
such that i = {(c, 1), {c' , ~'l')} is a connection with unifier a which is no renaming 
substitution, then B must contain a linking instance of c or d wrt. £. 

Proposition 2 (Model characterisation). Given a branch B of the tableau 
of a disconnection tableau sequence for a clause set S and an initial path Ps, let 
P be the path associated with B. If B is saturated, then the set of literals I of 
any Herbrand path P* of P U Ps is a partial Herbrand model for S. 

Proof. First, we show that P* is a consistent Herbrand path through S*. Assume, 
indirectly, that P* is not. This means that P* contains two literal occurences 
(c,l) and {d,->l). Since P* is the Herbrand path of an instance-preserving enu- 
meration if of P U Ps, P U Ps must contain two literal occurences which are 
more general than (c, 1) and {d , -■/), respectively. We select their minimal match- 
ers oi = (ci, k) and 02 = (c2, ~<k') in E. Obviously, k and k' must be unifiable. 
Let cr be a most general unifier of k and k'r where C2T is a variant of C2 which 
is variable-disjoint from ci. Either ct is a renaming substitution. In this case B 
would be V-closed, which contradicts our assumption. Or, cr is no renaming sub- 
stitution. Then we can apply Lemma [T] which assures that a proper instance C3 
of Cl or C2 must be on the branch B and C3 is a linking instance of that clause 
wrt. the connection {oi, 02}. Then C3 is a matcher of c or d, but this contradicts 
our selection of Oi and 02 as minimal matchers of c and d, respectively. Since 
we have considered all cases, P* must be a consistent Herbrand path through 
S* . Therefore, by Proposition [T] the set of literals I of P* is a partial Herbrand 
model for 5. □ 
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Fig. 4. A saturated open disconnection tableau for a clause set with an infinite Her- 
brand universe. 

In principle, this result suffices for the explicit extraction of Herbrand models 
as sets of ground literals from saturated branches. But, in certain cases, a finite 
branch can even represent an infinite Herband model. As an example, consider 
the saturated tableau in Figure 2] and its right-most branch. The enumeration 



of this branch represents an infinite Herbrand model for the respective clause 
set S, viz.. 



where s ranges over the Herbrand universe of S. From every finite enumera- 
tion, one can compute such a schematic expression with instantiation exceptions. 
Many important questions concerning Herbrand models can be solved efficiently 
in this framework. 

Given an finite enumeration if of a saturated branch H in a disconnection 
tableau for a clause set S and any literal I, then the following problems (among 
others) can be decided in time polynomial in the size of E and I, even if the 
Herband universe of S is infinite: 

1. is an instance of I in the partial Herbrand model I represented by E, 

2. are all instances of I in /, 

3. compute a schematic expression of all instances of I in I. 

This shows the potential of the framework for the extraction and represen- 
tation of models. We should emphasise, however, that this approach does not 
subsume the term schematisation concepts developed, e.g., in [Sal92>HG97J . 

4 Completeness of the Disconnection Tableau Calculus 



^Pifia)), P{a), P{f{f{x))) 



{^P{nf{f{am,^P{f{a)),P{a)} U {P(/(/(s))) : s ^ /(a)} 



With the model characterisation proposition at hand, the completeness of the 
disconnection tableau calculus can be recognised with a technique which is more 
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traditional for tableaux. The key approach is to use a systematic or fair inference 
strategy jSmu68J . In general, the disconnection tableau calculus is nondetermin- 
istic. An inference strategy makes the tableau construction deterministic for any 
input set. Formally, an inference strategy f is a mapping which associates with 
every clause set S a disconnection tableau sequence T for S. We call |J T the 
tableau for S and f. 

In detail, an inference strategy has to deal with the following three kinds of 
indeterminisms: 

1. the selection of the initial path, 

2. the selection of the next branch B to be expanded, 

3. the selection of the next linking step to be performed on B. 

Definition 10 (Fairness). An inference strategy f is called systematic or fair 
if, for any clause set, the tableau for S and f is saturated. 

Obviously, there are fair inference strategies for the disconnection tableau 
calculus. It can easily be checked that the following describes such a fair strategy. 

Example 1 (A fair inference strategy). 

1. For the initial path: select the first literal in each clause, 

2. for branch selection: choose the left-most open branch B, 

3. for link selection: from all links on B where the sum of the depth^ of the 
connected nodes is minimal, select the one where the depth of the upper 
node is minimal. 



Proposition 3 (Completeness). If S is an unsatisfiable clause set and f is 
a fair inference strategy, then the tableau T for S and f is a finite V-closed 
disconnection tableau for S. 

Proof. First, we show that every branch of T is V-closed. Assume not, then, 
because of the fairness of the strategy f, T would be saturated and contain a 
saturated branch. Then, by Proposition S would be satisfiable, contradicting 
our assumption. The V-closedness entails the finiteness of every branch. Since T 
is finitely branching, by Konig’s Lemma, it must be finite. □ 



5 Refinements 

Our research regarding the disconnection tableau calculus was not for theoret- 
ical purposes only. There also exists an implementation of the disconnection 
tableau calculus, which was presented in [LS01| . When designing a new calcu- 
lus for implementation in a powerful theorem prover, it is impossible to ignore 
the successful paradigms developed in the field of automated theorem proving 

The depth of a tableau node is the number of its ancestor nodes. 
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over the recent decades. Therefore, when new issues such as proof length and 
redundancy elimination came into focus also from a practical point of view, we 
incorporated a number of completeness preserving refinements into the calculus 
that are described in the aforementioned paper. 

These refinements include different variations of subsumption, a strong unit 
theory element and several deletion strategies for redundancy elimination. For 
lack of space, however, we cannot describe these refinements here in depth or 
give proof of their preserving the completeness of the disconnection calculus. 
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Fig. 5. V-closed plain disconnection tableau. 



Here, we will concentrate on one particular facet of these refinements. One in- 
herent characteristic of plain tableau calculi is that they are inherently cut-free. 
This property may lead to the generation of large proofs containing many redun- 
dant inferences and these redundancies also occur when searching for models. 
The standard approach for solving this problem is the use of lemmas or controlled 
cuts 

The following example demonstrates the possibility of introducing unit lem- 
mas, which simulate certain atomic cut steps. Figure [5] shows a V-closed plain 
disconnection tableau for the unsatisfiable clause set 

5 = {{P{x),P{f{x))}, {^P{x),^P{f{f{xm}. 

The structure of the subtableau below the node ~'P{f{x)) strongly resembles 
the structure of the subtableau below the node -•P{f{f{f{x)))), which indicates 
that a part of the proof might be redundant. If we look at the tableau in FigureEl 
we see that this redundancy indeed exists and how, by the use of folding up and 
unit simplification, we can avoid this redundancy. Folding up works as follows. 
Assume a subtableau T with root literal I is V-closed without refering to literals 
on the branch above 1. This amounts to the generation of a new unit lemma, 
namely, the complement of la where a identifies all variables in I — ^just taking 
the complement of I would be unsound because of the branch closure condition. 
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which identifies all variables. This feature is a special case of the so-called folding 
up procedure [LMG94] . In the example, the new unit lemma P{f{x)) is inserted 
at the root of the tableau after closure step 4. 

Unit simplification allows the immediate closure of a branch if it contains 
a literal k which can be unified with the complement of the literal in an input 
unit clause or a unit lemma. Unit simplification is used to close the right-most 
branch of the tableau in Figure thus eliminating the entire right subtableau. 
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Fig. 6. V-closed disconnection tableau with unit lemmas. 



It is the use of refinements like the ones described above that turns the im- 
plementation of a calculus into a potentially successful proof procedure. It must 
be noted, however, that the disconnection calculus is not compatible with cer- 
tain refinements or is only compatible with weakened forms of those refinements. 
Examples for such refinements are hyperlinking or goal orientation. Goal orienta- 
tion may be introduced into the proof procedure to a certain degree by adjusting 
the weighting and selection functions, but the fairness condition required to sus- 
tain the branch saturation property prevents us from exploiting goal orientation 
to the full. 

6 Conclusions and Further Work 

In this paper, we have presented the disconnection tableau calculus, a promising 
framework for proof and model finding in automated reasoning. We have given 
rigorous self-contained proofs of completeness and model generation. In order to 
make the calculus practically relevant, we have shown how the special handling 
of unit clauses can be integrated into the framework. Proof-theoretically, the 
disconnection framework has a number of advantages. Like Plaisted’s linking 
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method, the disconnection approach avoids the duplication problem inherent in 
calculi like resolution. Furthermore, it is branch saturating and combines the 
appealing properties of traditional tableau methods wrt. model generation with 
a controlled method of generating clause instances purely guided by connections. 

As future promising research directions we would like to mention the follow- 
ing three issues. First, it is absolutely necessary to integrate an efficient equality 
handling into the framework. In |Bil96j . a method was briefly sketched which is 
a form of paramodulation adapted to the tableau framework. Since we have no 
structural tableau restrictions (like, e.g., the connectedness condition in connec- 
tion tableau) which are incompatible with orderings, even the integration of an 
ordered equality handling is possible |BG98J . 

A further interesting research line would be to consider the integration of term 
schematisation techniques IISal92IHG97l into the disconnection tableau frame- 
work, which would require an extension of the unification procedure. Such tech- 
niques would permit a further condensation of the representation of models. 

Finally, it could be interesting to envisage the generation of finite general 
(i.e., non-Herbrand) models. The current methods for the generation of general 
finite models like Finder |Sla94J or Mace [McG94| work by a more or less blind 
identification of terms. Since the literals and terms on a (non-saturated) branch 
of a disconnection tableau often induce certain promising identifications of terms, 
it seems promising to integrate such a subcomponent into a disconnection tableau 
prover. With such a subcomponent, the decision power of the system could 
significantly be improved. 
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Abstract. A binary resolution proof is represented by a binary resolu- 
tion tree (brt) with clauses at the nodes and resolutions being performed 
at the internal nodes. A rotation in a brt can be performed on two adja- 
cent internal nodes if the result of reversing the order of the resolutions 
does not affect the clause recorded at the node closer to the root. Two 
brts are said to be rotationally equivalent if one can be obtained from 
the other by a sequence of rotations. Let c{T) be the nnmber of brts 
rotationally equivalent to T. It is shown that if T has n resolutions, all 
on distinct atoms, and m merges or factors between literals, then 

c(T') c^ri — &{rTi\o^{n/rri)) 

Moreover c(T) can be as large as n!/(m -|- 1). A-ordering, lock resolution 
and the rank/activity restriction avoid calculating equivalent brts. 

A dynamic programming polynomial-time algorithm is also given to cal- 
culate c{T) if T has no merges or factors. 



1 Introduction 

Binary resolution [S] is a commonly used technique in automated reasoning. 
There are many different ways to represent a binary resolution proof. The first 
method is to make a list of the clauses needed in whatever one is trying to prove, 
and record whether each clause is an input clause, or is produced by resolving 
two previous clauses in the list. As the order in which many of the resolutions 
steps are performed is not important, many effectively identical proofs would be 
considered to be different if a proof were only considered to be a list. 

A better method is to consider a proof to be a binary tree, where the child 
of two nodes is the result of resolving the clauses at the parent nodes. Here 
the binary resolution tree (brt) of |6I10| is used to represent such proofs. Many 
resolution-based automated reasoners construct proofs that can be effectively 
represented by brts. Every clause produced is the result of a brt, and such a 
reasoner can be considered to be producing brts rather than clauses. 

Binary resolution sometimes is associative. For some clauses A, B and D, 
{A *c B) D = A *c {B *e D). Resolution on an atom p is denoted by the 
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operation *p. Thus it is possible to change the order of the resolutions in the brt 
and produce essentially equivalent proofs. The clauses produced along the way 
are different, so that as lists of clauses, the proofs could look quite different. This 
associative redundancy of binary resolution is studied in mm, where equivalent 
brts are said to be rotationally equivalent. If a redundant brt is produced whose 
result is not the empty clause, then a clause is produced which is not needed. 

Binary resolution has commutative redundancy also, which is much easier to 
handle. Because A*cB = B all clauses A and B which can be resolved, 

resolution procedures only perform one of these resolutions. One common way 
to avoid the duplication is to order the clauses into a “waiting” list, select each 
one at a time as a “given” clause, resolve the given clause with any former given 
clause which has been retained, and put the resulting clauses into the waiting 
list. In this way, each pair of clauses is chosen only once. Assuming that clause A 
is chosen before clause B, the pair {A, B} is resolved only when B is the chosen 
clause, and not when A is the chosen clause. If a procedure does not avoid this 
commutative redundancy, then each brt with n resolutions can be constructed 
in 2" different ways. By deleting identical clauses using forward subsumption, 
such a procedure produces each brt in two ways. Hence most clauses, except 
some near the end, would be produced twice, so that such a procedure would be 
half as fast as an equivalent procedure which avoids commutative redundancy. 
Avoiding commutative redundancy thus speeds up a procedure by a factor of 
nearly two. 

How much can one speed up a reasoner by removing associative redundancy? 
One way to estimate this speedup is to count the number of equivalent proofs that 
would be produced by a procedure that does not avoid associative redundancy, 
which calculates all the equivalent brts. The number of equivalent proofs is 
typically exponential, but this does not imply that the speedup is exponential. 
The number of equivalent proofs under commutative redundancy is 2", where n 
is the number of resolutions, but the speedup factor is only 2. It is conjectured 
in the last section that the speedup factor is usually about the root of the 
number of equivalent proofs. 

An automated binary resolution procedure generally produces multiple brts 
that are redundant because of associativity. Once produced, the extra brts are 
typically removed by subsumption. The rank/activity restriction of [B] combined 
with a fair resolution procedure (any allowed resolution is eventually performed) 
constructs exactly one brt from each equivalence class. The rank/activity re- 
striction avoids precisely the associative redundancy of resolution. 

Variants of resolution that order the literals with a clause, such as ordered 
resolution m or lock resolution PP, also avoid constructing equivalent brts, but 
these procedures do not produce brts in all equivalence classes. Nevertheless this 
is a possible explanation of why they are relatively fast procedures. 

Associative redundancy is more difficult to deal with than commutative re- 
dundancy partly because resolution always commutes but does not always as- 
sociate. If two of the clauses have a common literal, and it is one of the re- 
solved literals, then in one order of the resolutions it can be merged and then 
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resolved away, but with the other order it is left in the result. For example: 
(ace *c bee) *e de = abd, but ace *c (bee *e de) = ahde. 

In this paper it is shown that if a brt contains n internal nodes and m 
mergings of literals, then the number of brts equivalent to a given brt is c(T) > 
22 n-e(miog(n/m))^ gg ri\ / (m + 1). Deleting identical clauses 

allows one to construct a number of equivalent brts equal to the number of 
nodes which can be rotated to the root of the brt. In clause tree terms, this 
is the number of internal atom nodes which are not internal to a merge path. 
Supposing that m is not too big, then the r/a restriction saves a factor of between 
about 4 and n on the number of resolutions performed, and hence indicates that 
the above procedures which order the literals of clauses should run 4 times faster 
than otherwise equivalent procedures. 

As only the structure of the proofs are important in this paper, it can be 
assumed for the most part that all atoms are ground atoms. Also one can consider 
in any given proof that each resolution is done on a different atom from all 
the other resolution in the proofs. These assumptions prevent consideration of 
improvements to the proof by inserting different factoring operations, or different 
merges. Indeed factors are often called merges thruout this paper. However the 
results of this paper apply to first order logic without these restrictions just as 
well as to propositional logic. 

The second section gives background concerning brts and clause trees [5]. 
Clause trees are another method of considering binary resolution proofs, and 
are essential for understanding the results in this paper. Section 3 considers 
the extreme cases for the number of equivalent brts when there are no merges 
of literals in the proofs. Section 4 gives a dynamic programming algorithm to 
calculate the exact number of brts equivalent to a given brt without any merges. 
Section 5 considers the extreme cases when the proof is allowed to have merges. 
Section 6 lists some open questions. 

2 Background 

The reader is assumed to be familiar with the standard notions of binary reso- 
lution Resolution proofs can be represented by the following type of proof 
tree. 

Definition 1. A binary resolution tree, or brt on a set S of input clauses is a 
binary tree where each node N in the tree is labeled by a clause label, denoted 
cl(N). The clause label of a leaf node is an instance of a clause in S, and the 
clause label of a non-leaf is the resolvent of the clause label of its parents. A 
non-leaf node is also labeled by an atom label, al(N), equal to the atom resolved 
upon. The clause label of the root is called the result of the tree, result(T). A 
sub-brt of a brt T is a brt which consists of a node of T together with all its 
ancestor nodes, induced edges and their labels. 

For the brt in Figure O S = {{b,e},{e, f},{a,b,e},{a,b,d},{c,d}}. The 
result of the brt is the clause {c, /}. The order of the parents of a node is not 
defined, thereby avoiding commutative redundancy. 
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Fig. 1. A binary resolution tree and a corresponding clause tree 



Merging literals during the construction of a proof is only done immediately 
after a resolution, at the first possible opportunity. This differs from m where 
factoring was delayed as long as possible instead. Either way there is no need 
to have nodes for factoring, as it always appears as part of a resolution step. 
Forcing factoring to be done early agrees better with what some automated 
reasoning procedures do. To avoid some trivial paths, in both brts and in clause 
trees defined below, all general factors of the input clauses are assumed to be 
available. 

The resolution mapping p at an internal node in a brt maps each resolved 
literal to the atom resolved upon, and maps each unresolved literal c to the 
occurrence of c9 in the resolvent, where 9 is the product of the unifications used in 
the resolution and any required factoring operations. Let the nodes {Nq, . . . , iV„) 
occur in a brt T such that Nq is a leaf whose clause label contains a literal a, and 
for each i = 1, . . . , n, is a parent of Ni. Let pi be the resolution mapping 

from the parents of Ni to Ni. Also let pi . . . p 2 Pid occur in cl{Ni), so that a is 
not resolved away at any Ni. Suppose iV„ either is the root of T, or has a child 
N such that pn . . ■ pia is resolved upon. Then P = {Nq, . . . , fV„) is the history 
path for a. The history path is said to close at N ii N exists. However N is not 
considered to be on the history path. The resolution mapping tells what happens 
to each literal in a given resolution step, and the history path tells what happens 
to it from the leaf where it is introduced to the node where it is resolved away. 

The application of associativity requires two adjacent nodes to be rotated in 
a brt, reversing the order of the resolutions, and still produce the same resulting 
clause at the lower node. This rotation is similar to the rotation performed in 
AVL-trees when rebalancing. 

Operation 1 (edge rotation) Let T he a binary resolution tree with an edge 
(C,E) between internal nodes such that C is the parent of E and C has two 
parents A and B. Further, assume that no history path through A closes at E. 
Then the result of a rotation on this edge is the binary resolution tree T' defined 
by resolving cl{B) and cl{D) on al{E) giving cl{E) in T' and then resolving 
cl{E) with cl{A) on al{C) giving cl{C) in T' . Any history path closed at C in T 
is closed at C in T' ; similarly any history path closed at E inT is closed at E in 
T' . Also, the child of E in T, if it exists, is the child of C in T' . (See Figure\^. 
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Fig. 2. A binary tree rotation 



A rotation may introduce tautologies to clause labels of internal nodes. For 
instance, if al{C) occurs in cl{D) then cl{E) in T' may be tautological. However 
the clause label of the root is not changed. 

Lemma 1. Given a binary resolution tree T with an internal node C and its 
child E, the rotation of edge (C, E) generates a new binary resolution tree and 
cl{C) = cl{E) up to variable renaming. 

Rotations are invertible; after a rotation, no history path through D closes 
at C, so another rotation at (if, C) can be done, which generates the original 
tree again. Two binary resolution trees are rotationally equivalent if one can be 
generated from the other by a sequence of rotations. Rotation equivalence is 
an equivalence relation. Rotation equivalence captures precisely the associative 
redundancy of binary resolution. 

In a brt, the atom being resolved upon labels the nodes instead of the edges 
as is usually done in proof trees |2I4| . In the equivalent proofs studied in this 
paper, what is constant between them is what instances of input literals merge 
and resolve together. Which history paths close together is the important thing. 
Rotations do not affect what literal instances merge and resolve. 

It is possible that a brt has two sub-brts which are isomorphic, in that the 
subtrees are isomorphic, and the atom and clause labels of corresponding nodes 
are the same. A theorem prover could thus have two different nodes with a 
common parent, and the proof found would become an acyclic directed graph 
(dag) instead of a tree. 

Binary resolution proofs can also be represented by an entirely different tree 
structure, the clause tree, introduced in |S]. Conceptually, a clause tree represents 
a clause together with a proof from a set of input clauses. An input clause is 
represented by a complete bipartite graph K\ n or claw, in which the leaves 
correspond to the atoms of the literals of the clause, modified by the sign on 
the edge connecting the leaf to the central vertex. Such a clause tree is said to 
be elementary. A new clause tree can be built by resolving two complementary 
literals from different elementary clause trees. Identify the two leaves, so the 
resolved literal becomes an internal node of the tree, thereby building a clause 



162 



J.D. Horton 



tree with leaves still corresponding to the other literals of the clauses. Thus 
leaves of the clause tree correspond to the literals of the clause. If there are two 
leaves with unifiable or identical literals, then two unifiable or identical literals 
occur in the clause. Merging two such literals is represented in the clause tree 
by applying a substitution if necessary, and choosing a merge path from the leaf 
corresponding to the removed literal to the other leaf corresponding to the now 
identical literal. 

The above discussion suggests a procedural definition, by giving the opera- 
tions to construct clause clause trees, as in jS]. Here the definition is structural. 

Definition 2 (Clause Tree). T = {N, E, L, M) is a clause tree on a set S of 
input clauses if: 

1. (N,E) as a graph is an unrooted tree. 

2. L is a labeling of the nodes and edges of the tree. L : NUE — >■ 5'UHU{-|-, — }, 
where A is the set of instances of atoms in S. Each node is labeled either by 
a clause in S and called a clause node, or by an atom in A and called an 
atom node. Each edge is labeled + or —. 

3. No atom node is incident with two edges labeled the same. 

4-. Each edge e = {a, c} joins an atom node a and a clause node c; it is associ- 
ated with the literal L{e)L{a). 

5. For each clause node c, {L(a, c)L(a) |{a, c} G E} is an instance of L{c). A 
path (vo, ei, vi, . . . , en,Vn) where 0 < i < n, Vi € N and Cj € E where 
\ < j < n is a merge path if L(ei)L(vo) = L(e„)L(u„). Path (vq, . . . ,Vn) 
precedes (^) path (wq, . ■ . , Wm) if Vn = Wi for some i = 1, . . . ,m — 1. 

6. M is the set of chosen merge paths such that: 

a) the tail of each is a leaf (called a closed leaf), 

b) the tails are all distinct and different from the heads, and 

c) the relation -< on M can be extended to a partial order, that is, does not 
contain a cycle. 

An open leaf is an atom node leaf that is not the tail of any chosen merge 
path. The set the literals at the open leaves of a clause tree T is called the clause 
of T, d{T), and is identical to the clause at the root of a corresponding brt. 

Some relationships between brts and clause trees are discussed in m- Among 
them are: internal nodes of brts correspond to atom nodes of the clause tree; 
leaves of a brt correspond to clause nodes of the clause tree; a history path in 
a brt corresponds to an edge of a clause tree. See Figure [D to see a clause tree 
that corresponds to a brt. 

In this paper we disallow merge paths of length two since they correspond to 
factoring an input clause. Any most general factor of an input clause is allowed 
to form an elementary clause tree instead. 

When a merge path is chosen between two open leaves, there is no reason to 
choose one direction over the other, unless one specifies some arbitrary heuristic. 
The corresponding proofs remain exactly the same. One can define a path reversal 
operation which changes the clause tree except that one merge path runs in the 
opposite direction, which may cause some other merge paths to be modified 
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somewhat. Then two clause trees are said to be reversal equivalent if there is 
a sequence of path reversals which transform one tree to the other. Perhaps a 
better alternative, developed in in a slightly different context and put into 
general clause trees in [^ , is the foothold restriction, which can be used to make 
an arbitrary choice that is consistent regardless of the order of the resolutions. 

Since both clause trees and brts are simply ways to write down resolution 
proofs, they are also equivalent to each other. The rotational equivalence classes 
of brts are in one-to-one correspondence with the reversal equivalence classes of 
clause trees m- 

3 Proofs without Merges 

A resolution proof that does not contain any step in which two literals merge, or 
factor, corresponds to a clause tree with no chosen merge paths. The resolutions 
can be done in any order. Such proofs have been considered in several ways. Given 
a set S of clauses, it is known that the following statements are equivalent: S 
has an input refutation; S has a unit refutation; the set of factors of S contains a 
relative Horn subset which is unsatisfiable. These are equivalent to S admitting 
a clause tree without merge paths |5]. If there are n resolutions, then there 
are n\ different proofs, written as a sequence of resolutions, for which every 
resolution is relevant to the proof. The clause tree corresponding to these proofs is 
unique, since there are no merge paths to be reversed. Many brts, all rotationally 
equivalent, can correspond to these proofs, as a sequence of resolutions, yet each 
brt may correspond to many of these proofs. 

Given a brt T with n atom nodes, let c(T) be the number of brts rotationally 
equivalent to T. Similarly define the number of brts corresponding to a given 
clause tree T to be c(T). 

Theorem 2. IfT is a mergeless hrt with n internal nodes, so that it corresponds 
to a mergeless clause tree T , then 

Cn < c{T) < n! 

where Cn = ((2n)!/(n!(n -|- 1)!) is the Catalan number. These bounds are 
tight. 

Proof. Once the order of the n resolutions is determined, so is the brt. There- 
fore c(T) < n!, the number of possible orderings of the resolutions. If T is 
a(n extended) claw Kn,i, then T itself is a linear binary tree, with every resolu- 
tion being between an input unit clause and the “central” clause. The resolutions 
can be done in any order, so the number of equivalent brts is n\. See Figure El 

If T is a path, see Figure S] then the corresponding brt T can be shaped like 
any binary tree with n internal nodes. Let /(n) be the number of brts correspond- 
ing to a clause tree which is a path, containing n internal atom nodes. Assume 
that the internal atom node corresponds to the last resolution. Removing 
the atom node breaks the path into two clause trees which are paths themselves. 
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Fig. 3. A clause tree maximizing the number of equivalent brts, with shape of corre- 
sponding brt. 

o □ o □ o □ o □ o □ o □ o □ o 



Fig. 4. A clause tree minimizing the number of equivalent brts. 



one with k — 1 internal atom nodes and the other with n — k. The number of 
brts then is f{k — l)f{n — k). Summing over all the choices of internal atom 
nodes, any of which can be the last resolution, /(n) = /(^ ~ ~ ^)- 

The solution to this recurrence is well-known to be f{n) = Cn- Therefore the 
lower bound is tight. 

Lastly we prove the lower bound. Assume that c{T*) > Ck if T* has k < n 
internal atom nodes. Let the internal atom nodes of T be {oi, 02 , . . . , a„}. For 
each atom node a^, let the subtrees determined by breaking T at the atom node 
ai be Ti and 7^'. Assume that Ti has no more internal atom nodes than 7^', 
and that this number is hi. Thus the number of internal atom nodes in TI is 
n — 1 — hi > hi- Then 

n 

c(r)>^a.c„_i_6. = /(T) (1) 

The function / defined in equation o is a lower bound on c(T) which can be 
calculated from the shape of T. We show that if T has a node of degree 3, then 
we can find another clause tree with n internal atom nodes for which this lower 
bound / is smaller. 

Note that 



Cfc (2fc)! (fc-l)!fc! (2fc)(2fc-l) 

Ck-i kl{k + 1)1 {2k - 2)1 k{k + l) I 



(2) 



This ratio increases with k. But the product CkCn-i-k decreases as k increases 
for a fixed n, as long as 2k < n, since 



Ck-iCn-k _ {4:- 6/{n - k + 1)) 

CkCn-l-k~ (4-6/(fc+l)) 

It follows that the product CkCn-i-k is minimized when k = [(n — 1)/2J. 



( 3 ) 
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Suppose that T has a node c of degree 3 or more. Rename the atom nodes of 
T such that oi and 02 are the two atom nodes adjacent to c which make bi and 
62 are as small as possible, with bi <62- Then bi is the number of internal atom 
nodes in the subtree obtained by deleting ai from T and does not contain the 
clause node c. Similarly 62 is the number of internal atom nodes in the subtree 
obtained by deleting 02 from T and does not contain the clause node c. Thus 
&i < 62 < n — 2 — 61 — 62. 





Fig. 5. The construction to show the lower bound 



We modify T to make a new clause tree 1 ~' by detaching oi from c, and 
re-attaching it to the other clause node d adjacent to 02- See Figure El Let &' be 
defined for T' in the same way as bi is defined for T. Thus &' is the number of 
internal atom nodes in the smaller clause tree obtained by deleting Ui from T~' . 
Then bi — 6' except for i = 2. For this case b'2 = min{bi + b2 + l,n — 2 — bi — b2} > 
&2- By equation (jS), /(T') < /(T). Thus / is minimized only for clause trees 
with all nodes of degree less than 3, that is, only for paths. For a path the value 
of / from equation (TI) is exactly = Y^CiCn-i-i-O 

4 A Polynomial Algorithm to Count Mergeless Proofs 

Given a mergeless clause tree T, it is possible to count in polynomial time the 
exact number of corresponding brts. The algorithm uses dynamic programming. 
Given a specific clause node c of T, let f{c,h,T) be the number of brts cor- 
responding to T in which the leaf node corresponding to c occurs at height h. 
Once /(c, h, T) is known for any specific c and all h = 1 , . . . , n, one can calculate 
c(T) by summing /(c, ft., T) over all values for ft. If T contains zero atom nodes 
and one clause node c, then /(c, 0,T) = 1 and f{c,k,T) = 0 for ft > 0. 
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Fig. 6. Breaking the clause tree 



Next we need a recursive formula for /(c, Let a be an atom node 
adjacent to c, with d being the other clause node adjacent to a. Deleting a, and 
its incident edges, breaks T into two smaller clause trees Tj containing c and ?2 
containing d. See Figure El 
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Fig. 7. Breaking the brt 



Consider any brt B corresponding to T. Let the leaf Ic corresponding to 
c be at height h in B. Consider the path from this leaf to the root. It must 
contain the node at which the resolution corresponding to a is done. Suppose 
that it contains k nodes at which other resolutions from 7i are done. Then it has 
h — k — 1 nodes at which resolutions from ?2 are done, excluding the resolution 
corresponding to a. If one were to remove the nodes corresponding to atom nodes 
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of ?2 and reconnect this path from Ic to the root, then the result would be a brt 
Bi corresponding to 7i in which the leaf corresponding to c would be at height 
k. Similarly removing the nodes corresponding to atom nodes of 7i would leave 
a brt i ?2 corresponding to T 2 , with the leaf corresponding to d being at height 
j > h — k — 1. See Figure |7] Looking at the path from Ic to the root in B again, 
the nodes from B\ can be inserted anywhere on this path, as long as they are 
below the node corresponding to a. The number of ways in which the nodes from 
71 can be placed is (^) . Summing over the possible values of k, 

/(c,/i,r) = ^\Q)/(c,fc,Ti) ^ /Kj,T2)) 

fc— 0 ^ — — 1 

The values of / can be calculated using dynamic programming. Let the 
clause tree be rooted at some clause node, complete with child/parent and an- 
cestor/descendant relationships. Suppose that we evaluate / for each subtree 
rooted at any clause node c. To evaluate / for c, first all the values of / for all 
immediate descendant clause nodes must be known, for the subtree rooted at 
that clause node. Then the recursion formula must be applied for each of the 
atom node children of c, so that the formula, for each possible value of h, is 
applied up to degree{c) times at c. The recursion formula must be applied once 
for each internal atom node of T, for values of h up to the number of internal 
atom nodes below the parent clause node of the atom node in the rooted B- 

The internal summation for 72 can be found for all the values of h in linear 
time. Thus the values of / can be calculated in time quadratic in h for any given 
c and r, assuming that the values of F are known for the subtrees and the nodes 
c and d. The set of recursions need to be calculated once for each atom node of 
T. Hence the whole calculation can be done in cubic time. 

5 Proofs with Merges 

If the proof includes merging or factoring of literals, then the above arguments 
are not valid. Each merge requires that some of the resolutions be performed 
before the resolution of the merged literal. Hence the number of equivalent proofs 
is smaller for the same number of resolution steps. A single merge can reduce the 
number of equivalent brts considerably. In the case of a single merge in a proof, 
the number is divided by approximately the number of internal atom nodes on 
the merge path in the clause tree. If the merge were just within an input clause, 
it does not change the number of equivalent brts at all. It is assumed that 
merges always occur between literals from different input clauses, specifying 
that different occurrences of a given input clause are considered to be different 
input clauses. Moreover we assume that no two distinct literals from the same 
occurrence of a clause are merged with the same literal of another clause. In a 
clause tree this means that two merge paths with the same head cannot have 
their tails being adjacent to the same clause node, because this implies that the 
two literals of one input clause are factored. 
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The following theorem defines a lower bound on c(T), denoted by lb(n,m), 
which is a product of Catalan numbers. 

Theorem 3. Let T is a brt with n internal nodes and m merges, so that it 
corresponds to a clause tree T with m merge paths. Also let n = YIILq such 
that Ui = \ n/{m + 1)J or Ui = \n/ (m + 1)J +1. Then 

m 

c(T) > Cn, = lb{n, m) 

2 = 0 



Moreover this bound is tight. 

Proof. First we demonstrate the extreme case. Let n = k{m + 1). Let brt T 
correspond to a clause tree 7* whose internal atom nodes ai, 02, . . . , a„ all lie in 
order on a single path. Thus all the nodes of T form a path except possibly for 
atom nodes which are leaves. Let T have m merge paths Pi, P2, . . . , Pm- Let the 
heads of the paths be spaced out almost equally along the path, with the head 
of path Pi at atom node aki+i, and the tail of Pi adjacent to the clause node 
adjacent to a\ and not between oi and 02. See Figure E] 




-o- 



-o 



Fig. 8. An example of the lower bound, with c(T) = (C 2 )'*. 



Let Ui be the interior node of the brt T corresponding to the interior atom 
node Oi of the clause tree T. The resolutions corresponding to a\, . . . ,ak must 
all occur before the resolution of a^+i, and so n\, . .. ,Uk form a sub-brt Tiof 
T. Because T is effectively a path, the root of Ti is a parent of n^+i. By the 
results of the previous section, there are Ck brts rotationally equivalent to Ti. 
Similarly the resolutions corresponding to ak+i, . . ■ , a2fe must all occur before the 
resolution of 02fc+i, and again these resolutions can be organized in Ck ways. 
The nodes ni, ... , U2k must form a sub-brt T2 of T, and the root of T2 must be 
a parent of n2k+i- The number of brts rotationally equivalent to T2 equals the 
product of the number of ways that the nodes Uk+i, . . . U2k can be organized and 
the number of brts rotationally equivalent to Ti, that is (C/c)^. Continuing in this 
way, for j = 1 , ... ,m, nodes n\, ... , nkj form a sub-brt Tj which is rotationally 
equivalent to brts. Then Tm = T, and is equivalent to (Cfc)™ brts. 

Next we prove the lower bound. Consider the set A of interior atom nodes of 
T that are not interior nodes of any merge path. They may be heads of merge 
paths. Consider C = T — A, T with the nodes of A and their incident edges 
deleted. C consists of a set of fc < to component clause trees which are subtrees 
of T. Some of these trees may consist of a single isolated clause node. Let the 
nontrivial component clause trees be 7i with internal atom nodes and rui 
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merge paths. Note that for each non-trivial component clause tree 7i, the head 
of at least one merge path with internal atom nodes in it has as its head an atom 
node from A. Exclude these merge paths from being chosen merge paths of the 
7i. Also consider the clause tree T> obtained from T by contracting all the edges 
of C. 2? is a mergeless clause tree with, say, uq internal atom nodes. Note that 
Y.i=o ni = n and X)?=i - k. 

Let Ci be a brt corresponding to Ci, and D a brt corresponding to V. Then 
build a brt from D by replacing each leaf of D which corresponds to a contracted 
Ci, by Ci- The resulting brt corresponds to T. Moreover the result is different if 
any of the component brts are changed. Thus 

k k 

c{T) > c{V) c{Ci) > Cno rui) 

i—1 i—1 

Each lb{ni,mi) is a product of Catalan numbers. By the observation after 
equation l^that the product CkCh-k is minimized when k = h/2 or k = {h—l)/2 
for a fixed h, the product of all the Catalan numbers is minimized when the 
subscripts are as equal as possible. One can also see that maximizing the number 
of factors minimizes the product, by considering adding a factor of Cq to the 
product if there is not a factor for each merge path.D 

Let n = (m + l)k. Because Ck = 6>((4^)/(fc^-®)) = and C„ > 

it follows that 

c(T) > 




Fig. 9. A clause tree with merges and many equivalent brts. 



The upper bound on the number of equivalent brts when merge paths are 
allowed does decrease when merge paths are allowed, but not very much. I do 
not have a proof of an upper bound significantly better than n\, but it is no 
less than n\/{m + 1). Consider the same clause tree as in the mergeless case, 
the claw if you like, and add m merge paths, all with the same head, h, from 
tails ti,t 2 T ■ ■ Am attached at m distinct clause nodes, and not the central clause 
node. The m atom nodes internal to the merge paths must resolve before the 
atom node at the head. This decreases the number of brts by a factor of m + 1. 
See Figure [HI Is this clause tree is the extreme case? 
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6 Open Questions and Discussion 

A natural question to ask, is whether there is a polynomial-time algorithm to 
count the number of equivalent brts with n internal nodes and m merges? If we 
cannot count them, or alternatively show that this is a difficult question, then 
our understanding of binary resolution is limited. 

More important is asking the equivalent questions for dags. Dags are what 
binary resolution theorem provers usually produce as proofs. Can one count 
the number of rotationally equivalent binary resolution dags, with or without 
merges? Can one put bounds on the number of such dags? Maybe this is a very 
difficult question. 

Perhaps more interesting question is: Given a brt, what is the smallest equiv- 
alent dag? Goerdt [1] has shown that there are unsatisfiable sets of clauses such 
that the smallest non-regular (an atom label does not occur twice on one branch 
of the brt) refutation is exponentially bigger that the smallest refutation. Since 
the smallest refutation brt is regular, indeed surgically minimal, for any unsatis- 
fiable set of clauses m, the smallest brt must be exponentially larger than the 
smallest dag. I do not know whether the smallest rotationally equivalent dag is 
typically, commonly or only rarely much smaller than the smallest brt. 

The previous question leads to another. Is there some other reasonable def- 
inition of equivalence for dags? Using clause trees, one can do more than just 
path reversals to get more proofs which are almost equivalent. One has the oper- 
ations of surgery and supplanting. Surgery is not always reversible, so this is not 
a strict equivalence relation, yet a refutation always transforms to a refutation, 
and even non-refutations may transform to a refutation. 

I wanted to determine the size of these equivalence classes in order to prove 
that a procedure that avoids producing redundant brts, would be significantly 
faster than an otherwise equivalent procedure which produces all the brts in an 
equivalence class. As it is obvious that the classes were exponentially large, I 
thought that the speedup would also be exponential. Only later did I realize 
that one should take the root of the count to estimate the speedup. 

Consider a tree which represents the ways in which a given brt can be cal- 
culated. Each node in the tree represents a partial proof (minimal set of brts 
from which the result of the proof can be derived) . The root represents the single 
clause which is the result of the proof. Each edge corresponds to doing a single 
step (resolution), with the node closer to the root containing the result of the 
resolution of two of the clauses from the further node, and all the other clauses 
from the further node. Each leaf has all the input clauses used in the proof. Ev- 
ery leaf is of height n; the number of leaves is the number of equivalent proofs. 
For each internal node of the tree, a procedure which avoids associative redun- 
dancy only does a resolution on a single edge leading to it, whereas a procedure 
which keeps all associative redundancy, even if it removes all identical clauses, 
does every resolution in this tree eventually. Thus the speedup of avoiding the 
associative redundancy is the average degree of the nodes in this tree. If the 
tree were regular, the average degree is the root of the number of equiva- 
lent brts. Since the tree is clearly not regular, this estimate is not rigorous. The 
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leaves are of degree one, and the degree typically increases as one approaches the 
root, which suggests that the average degree is less than the root. On the 
contrary, one must consider these trees over all brts which are produced. The 
leaves occur in many of these trees for many different brts, and what one should 
average over is the number of ways in which each brt can be constructed in one 
step. This number is the number of internal atom nodes which are not interior 
nodes of chosen merge paths, and typically increases as one considers larger brts. 
Because there are more larger brts, I believe that the average speedup is at least 
4, maybe even proportional to the size of the resulting proof, but this must be 
verified experimentally. 

The problem to get an exact count in polynomial time intrigued me because 
the obvious dynamic programming algorithm is not polynomial. The solution 
using clause trees shows the effectiveness of clause trees as a tool to think about 
binary resolution. 

Thanks are due to the anonymous referees for suggesting improvements to 
the paper. 
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Abstract. The splitting rule is a tableau-like rule, that is used in the 
resolution context. In case the search state contains a clause Ci V C 2 , 
which has no shared variables between Ci and C 2 , the prover splits the 
search state, and tries to refute C\ and C 2 separately. 

Instead of splitting the state of the theorem prover, one can create a new 
proposition symbol a, and replace Ci V G 2 by Ci V a and -la V G 2 . In 
the first clause a is the least preferred literal. In the second clause a is 
selected. In this way, nothing can be done with C 2 as long as Ci has not 
been refuted. 

This way of splitting simulates search state splitting only partially, be- 
cause a clause that inherits from Ci V a cannot subsume or simplify a 
clause that does not inherit from Ci . With search state splitting, a clause 
that inherits from Ci can in principle subsume or simplify clauses that 
do not derive from Ci . As a consequence, splitting through new symbols 
is less powerfull than search state splitting. In this paper, we present a 
solution for this problem. 



1 Introduction 

It is an empirical fact that methods with state splitting are better on propo- 
sitional problems than resolution-like methods. When there are variables, state 
splitting becomes difficult due to the fact that it is necessary to maintain shared 
variables between states. It seems reasonable to keep as much as possible from 
state splitting, but avoiding the problems with shared variables. 

The splitting rule is the following rule: Suppose that the search state of a 
resolution theorem prover contains a clause Ci V (72, where both Ci and C 2 are 
non-trivial and have no variables in common. In that case the prover splits its 
search state into two states, one for Ci and one for € 2 - When properly applied, 
the splitting rule can improve the chance of finding a proof significantly. In 
addition to increased efficiency when finding a proof, the splitting rule increases 
the chance of finding a saturation. This is due to the fact that Ci or C 2 may 
backward subsume clauses that are not subsumed by (7i V (72. Similarly it may 
be possible to derive an equality from C\ or C 2 that simplifies the search state 
significantly, but which could not be derived from (7i V (72. 

Some resolution decision procedures rely on the splitting rule. Examples are 
the procedure for E+ of |FLTZ93] and |dN94j . and the procedure for the 2- 
variable fragment of [dNPH0l| . 
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The splitting rule is practically useful, but difficult to implement in the res- 
olution context. Currently ( 2001 ), Spass f [Wb 01 p is the only implementation of 
resolution with search state splitting. It is not practical to make two copies of the 
search state. Therefore splitting has to be implemented through backtracking. 
The system deletes Ci V C2 from the search state, and replaces it by C\. After 
that, search continues until either a saturation or a proof is found. If it finds a 
saturation then the system can terminate. If the empty clause is derived, then 
the system has to backtrack to the point on which Ci was introduced, and re- 
place it by C2. In order to be able to restore the search state, the theorem prover 
has to do a complex administration. In particular, when a clause is deleted be- 
cause it subsumed or rewritten, it has to be be done in such a way that it can 
be restored. 

Because of these implementation difficulties, some resolution provers imple- 
ment the following approximation: If the clause C\ V C2 can be split, then it can 
be replaced by the two clauses Ci V a and -•q;VC' 2. Here a is a new propositional 
atom. It is ensured that a ist the least preferred literal in C\ V a, and that -<a is 
selected in -la V C2. The only way in which -<a V C2 can be used is by resolving 
it with a clause in which a is maximal. Such a clause will be derived only when 
C\ is refuted. This way of splitting has been implemented in the Saturate Sys- 
tem 1 [(IN NhS] V and in Vampire f |H,V() 1 J V We call this way of splitting splitting 
through new symbols. 

Structural clause transformations f |NW 01 |. |BFL 94| 1 are closely related to 
splitting through new symbols. Assume that Fi V F2 is antiprenexed, i.e. that 
quantifiers are factored inwards as much as possible. In that case, every free 
variable of Fi or F2 is a free variable of both Fi and F2. A structural clause 
transformation would replace Fi V F2 by Fi V a{x) and Vx(q;(x) — F2). Here x 
are the free variables of F2 and a is a new predicate symbol. In case Fi and F2 
have no shared variables, symbol a will be propositional. 

Unfortunately, splitting through new symbols only partially simulates search 
state splitting, because the new symbols hinder backward subsumption and sim- 
plification. Every clause that inherits from Ci contains the literal a. Because of 
this, it cannot simplify or subsume a clause that does not inherit from Ci. This 
makes that splitting through new symbols fails to have one of the major advan- 
tages of splitting. In this paper, we give the following solution for this problem: 
If there are two clauses Ci V a and D, and Ci subsumes D, then we replace D 
by -la V D. In this way D is switched off, until a has been derived. 

Simplification can be handled in the same way. Suppose that ( 7 i can simplify 
the clause Z?i into £>2, but that the prover has the clause Ci V a instead of Ci 
in its search state. Then Di is replaced by £>2 V a, and -laV Di. Doing this, the 
simplification D2 is available on the current branch, and D\ is switched off until 
a has been derived. We give an example: 

Example 1 . Suppose that one wants to refute the following clause set 

p(0), -p(s'®(0)), s(s(A))f«AVs(y)f«r, 
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and assume that one is using the Knuth-Bendix order. The equalities in the last 
clause are uncomparable under the Knuth-Bendix order, so both equalities have 
to be used for paramodulation. 

The last clause can be split into s(s(X)) Ri X and s(Y) ~ Y. Splitting results 
in the following two states, both of which have a trivial refutation using simple 
rewriting and one resolution step. The states are: 

p(0), -p(si6(0)), s(s(X))«X, 

and 

p(o), -p(si6(o)), s(y)R^y. 

Instead of search state splitting, one can split through a new symbol. Using a 
as new symbol, the last clause can be replaced by 

s(s(X)) Ki X V a and -la V s(Y) Ri Y. 

After that, a can be derived by iterated paramodulation from s(s(A)) X V a. 
When this is done, s(U) Ri Y becomes available again. This equality will simplify 
-■p(s^®(0)) into -'p(O). 

In Example [H splitting through new symbols is better than no splitting at all, 
but it is still not as good as state splitting. In the first search state, s(s(A)) Ri X 
can simplify -ip(s^®(0)) into -ip{0). However s(s(A)) m X V a cannot simplify 
-■p(s^®(0)), because of the extra literal a. 

In the following example, we use extended backward simplification: 

Example 2. With extended backward simplification. Example [T] is handled as 
follows: After the split, the search state consists of the clauses 

p(0), -p(s^®(0)), s(s(X)) Ri A Va, -aVs(A)RiA. 

With s(s(A)) Ri A V a, the clause -ip(s^®(0)) is simplified into 

-'p(s^"‘(0)) V a and ~^a V -ip(s^®(0)). 

Seven more rewrites result in 

~'p{0) V a and -^a V -■p(s^®(0)). 

Now the complete search state consists of the clauses 

p(0), “'p(O) V a, s(s(A)) Ri A V a, 

-■Q! V -ip(s^®(0)), -iQ: V s(A) Ri A. 

The first two clauses resolve into the clause a. After that, the two last clauses 
resolve with a, which results in the clauses 

-■p(s^®(0)) and s(A) Ri A. 

Now -ip(s^®(0)) is simplified into ~'p(0), which resolves with p(0) into the empty 
clause. 
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In order to handle cases where more than one splitting symbol is missing, 
it is necessary to extend the clause format. Suppose that C\ subsumes C2, but 
the search state contains Ci V a V /3. In that case C2 has to be restored, when 
either of a or /3 is derived. One could obtain this by replacing C2 by -<a V C2 
and -i/3V C2. However, when there are many splitting symbols, this would result 
in too many copies. For this reason, it is better to extend the clause format by 
allowing negated disjunctions of splitting symbols. Using the extension, C2 can 
be replaced by -i(a V /3) V C2. Each of the symbols a or /3 can restore C2. Note 
that only a minor extension of the clause format is needed. Negated disjunctions 
need to be added only for splitting symbols, not for usual atoms. Both the 
positive disjunctions of splitting literals, and the negative disjunctions can be 
easily represented by bit strings, so they can be manipulated very efficiently. 

If one does not want to extend the clause format, it is also possible to replace 
C2hy 

7 V (72, ~'OL V 7, —'(3 V 7, 

where 7 is a new literal. However we think that it is better to make a small 
extension to the clause format. 

In the next section we formally define search state splitting, and we give a 
couple of variants of splitting through new propositional symbols. After that, 
in Section |21 we prove a general completeness result, that is general enough to 
prove completeness of all types of splitting, combined with all restrictions of 
resolution. 



2 Splitting through New Symbols 

We first define two variants of the splitting rule, usual splitting and extended 
splitting. It is possible to add the negation of one of the branches in the other 
branch. This is called extended splitting. Extended splitting is possible because 
Cl V C2 is logically equivalent with (7i V {C2 A -'(7i). 

Definition 1. Let C he a clause, not the empty clause. Let A be a literal in C. 
The component of A in C is the smallest subset C\ of C, s.t 

— A € Cl, and 

— if literals Bi,B2 have some variables in common, Bi £ Ci, B2 € C, then 
B2 G Cl. 

Write C = Cl V C2, where C2 are the literals of C that are not in Ci. If C2 is 
non-empty, then clause Ci V C2 can be split. Write B for the remaining clauses 
in the search state of the theorem prover. 

— Splitting is obtained by replacing the search state T, Ci V C2 by two search 
states r, Cl and T, C2 . 

— Extended splitting is defined by replacing the search state by the two search 
states r,Ci and r,->Ci,C2. In the second proof state, variables in -iCi have 
to be Skolemized. 
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The original search state is refuted if both of the split search states are refuted. 
The original search state has a saturation if one of the split search states has a 
saturation. 

Note that our definition implies that C\ cannot be split another time. It is 
possible however that C 2 can be split another time. In practive, one does not 
always split when it is possible, because search state splitting is costly. Spass 
uses heuristics to decide whether or not a possible split should take place, and 
whether extended or simple splitting should be used. Typically both components 
need to contain non-propositional, positive literals. It is reported in |WbOI| that 
extended splitting is not always better than non-extended splitting. See | Wb01| 
for details. Next we define splitting through new symbols. We do this in two 
ways. The first way is the way that we described in the introduction. The second 
way tries to reduce the number of splitting symbols by exploiting dependencies 
between them. We call this splitting with literal suppression. 

Definition 2. We first define splitting without literal suppression. Let C\ V C 2 
be a clause that can be split. 

— Non-extended splitting replaces the clause by 

V /3, “i/3 V C 2 . 

— Extended splitting replaces the clause by 

Cl V (3, —<(3 V C 2 , ~'!3 V ~'C\. 

The negation of C± has to be Skolemized. 

If some clause has more than one split clause among its parents, it will 
contain more than one splitting symbol. If one would split such a clause using 
Definition m then one more splitting symbol will be added. The following way of 
splitting makes it possible to drop other splitting atoms when a clause is split, 
that already contains splitting atoms. 

Definition 3. Let Ci V C 2 V oi V • • • V Op be a clause that can be split, where 
oi, . . . , Op p > 0 are positive splitting symbols, resulting from earlier splits. We 
define splitting with symbol suppression. 

— Simple splitting replaces the clause by 

Cl V /3, -./3 V C 2 V Oi V • • • V Op, 

—'(Xi y j3, ... , ~'ap V (3. 

— Extended splitting replaces the clause by 

CiV/3, -./ 3 VC 2 Voi V--- Vop, -./3V-.CiVai V-'-VOp, 



lOi V /3, • • • , -lOp V j3. 
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It may seem that the effect of splitting with literal suppression can be also 
obtained by splitting Ci V C2 Vai V • • • V Op into Ci V /3 and -i/JV C2 Voi V • • • Vop. 
However if the first clause resolves with a clause containing some of the then 
both the ai and P have to be kept in the resulting clause. If one has literal 
supression, then any clause of form D V V • • • V V /3 can be simplified into 
Dy P, due to presence of the ~^ai V P clauses. 

For all four ways of splitting, it can be easily verified that the clauses resulting 
from the split imply the original clause. This does not imply completeness for 
the case where splitting is done eagerly, but it does imply that splitting with 
fresh literals can be done finitely often without losing completeness. 

We will now prove that the four ways of splitting are sound. We do this 
by proving that in each case there exists a first order formula F, which can be 
substituted for / 3 , such that the resulting clauses become logical consequences of 
the original clause. This makes the splitting rules provably sound in higher order 
logic. This makes it possible to verify resolution proofs that use splitting through 
new symbols, see |dN 01 J . In first order logic, the splitting rules are satisfiability 
preserving. Instead of substituting F for / 3 , one can extend the interpretation 
with P, and copy the truth value for P from F. 

Theorem 1. For all four ways of splitting, there exists a formula F which can be 
substituted for P, s.t. the resulting clauses are logical consequences of the original 
clause. 

Proof. — First we consider splitting without literal suppression. For non- 
extended splitting, one can simply take 

P-.= C2. 

For extended splitting, one can take 

/ 3 :=^Ci AC2. 

— Next we consider splitting with literal suppression. For non-extended split- 
ting, one can take 

/3 := C2 V oi V • • • V Op. 

Substituting in the formulas that result from the split, gives 

Cl V (C2 V Oi V • • • V Op), 

-■(C2 V oi V • • • V Op) V C2 V oi V • • • V Op, 

-■ai V (C2 V oi V • • • V Op), . . . , -.Op V (C2 V «i V • • • V Op). 

The first formula equals Ci V C2 V oi V • • • V Op. The other formulae are 
tautologies. 

In the case of extended splitting with literal suppression, one can take 
P ■= (-,Ci A C2) V oi V • • • V Op. 
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Substituting in the formulas, resulting from the split, gives 
Cl V (-.Cl A C 2 ) V oi V • • • V Op, 

-.((-•Cl A C 2 ) V Oi V • • • V Op) V C 2 V Oi V • • • V Op, 

-.((-•Cl A C 2 ) V Oi V • • • V Op) V “.Cl V Oi V • • • V Op, 

-.ai V (“.Cl A C 2 ) V ai V • • • V Op, • • • , “.Op V (“.Ci A C 2 ) V Oi V • • • V Up. 

It is easily checked that all of these formulas are tautologies or logical con- 
sequences of Cl V C 2 V ai V • • • V ttp. 

3 A Meta Calculus 

We prove a general completeness result, which applies to all splitting strategies 
described so far. We do not want the result to be restricted to one calculus, 
or to one type of redundancy. The completeness result has to be applicable to 
all resolution decision procedures that need the splitting rule, and also to other 
refinements of resolution, that are used for full first order. 

One could try to give separate completeness proofs for the various calculi, 
but this is too complicated. The completeness proofs are rather heterogeneous. 
Some of them rely on the completeness of the superposition calculus f |fjOni| ). 
others are based on the resolution game f |dN94] ) or lock resolution. f |B71| ) 

In order to obtain a general completeness result, we define a meta calculus 
which extends some refinement of resolution (called calculus here) by adjoining 
the splitting atoms to it. We then prove relative completeness: Every derivation, 
that fulfills certain conditions, will either derive the empty clause, or construct 
in the limit a saturation of the original calculus. 

The rules of the meta calculus are obtained by modifying the rules of the 
original calculus. When a rule of the original calculus is applied on clauses con- 
taining splitting symbols, the resulting clause inherits the splitting symbols from 
the parents in the meta calculus. Redundancy in the meta calculus is obtained by 
combining the redundancy of the original calculus with propositional implication 
on the splitting symbols. 

It is necessary to keep the splitting symbols apart from the calculus literals. 
Using the propositional redundancy techniques in full generality on all literals 
would result in incompleteness. 

Definition 4. We identify a calculus C by its derivation rules and its redun- 
dancy rules. A calculus is characterized by an ordered tuple C = {A, D, R, e) in 
which 

— A is the set of clauses, 

— D Q A* X A is the set of derivation rules, 

— R Q A* X A is the set of redundancy rules. R must be reflexive and tran- 

sitive. Reflexive means that R(a,a) for all a G A. Transitive means that 
R{ai , . . . , a„, a) and R{bi , . . . a, h+i, .. .,bm,b) imply 

R(^bi, . . . , bi—i, ai , . . . , Oji , , . . . , bjYi , 6) . 

— e G A is the empty clause ofC. 
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In examples, clauses of C will be between square brackets, to stress that we 
see them as closed objects. For example, if one would have ordinary resolution 
with subsumption, one would have 

([p(X) V q{X)], hp(X) V r(y)]; [q{X) V r(F)]) G D, 

{[p{X, Y) V p(r, X) V r(X, y)]; [p(X, X) V r(X, X)] G D. 

In R, one would have 



(b(X)Vg(X)];[p(0)Vq(0)]) Gi?, 
{[p{X)];[p{f{X))])GR. 

The calculus C is considered on the predicate level. Clauses are not replaced 
by their ground instances. However, since the clauses of C are closed objects, the 
meta calculus is a propositional calculus. 

All natural redundancy criteria are transitive, because they are based on 
implication and on some ordering conditions. 

There is no need to specify what the splitting rules of C exactly are. The 
reason for this fact is that, as far as completeness is concerned, splitting can be 
handled by redundancy. When a clause C\ V C 2 is split into Ci and C 2 , both of 
the components subsume the original clause. 

The method can handle any form of splitting, as long as the clauses obtained 
by splitting subsume the split clause. We are not concerned about soundness in 
this section. The soundness of most of the possible ways of splitting has been 
proven in Theorem [T] 

Definition 5. A saturated set is a set M Q A, such that for each set of clauses 
Oi, . . . , a„ G M, {n > 0) and clause a € A, for which 

D(qi, . . . , Uni ) 

there are clauses b\, . . . ,bm € M, {m > 0) such that 

R{bi, . . . ,bm,a). 

A set M Q A is a saturation of some set of initial clauses I if M is a sat- 
urated set, and for each a € I, there are clauses G Af, such that 

R{ai, . . .,am,a). 

We use the letter M for saturations, because they play the role of models. 
If the calculus C is complete, then M (in principle) represents a model of the 
clauses it contains. 

We now extend calculus C with splitting atoms: 

Definition 6. Let C = {A, D, R,e) be a calculus. Let {S,X) be a well-ordered 
set of propositional atoms, non-overlapping with any object in A. Clauses of the 
extended calculus have form 



(-'CTl V • • • V -'(Tp) V o V T. 
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It must he the ease that a G A. It is possible that a = e. Each Ui {1 < i < p) is a 
disjunction of splitting literals. Ifp > 0, then the clause is blocked by the sequence 
{-"Ji , . . . , ~'Op). If p = 0, then the clause is not blocked. When the clause is not 
Mocked, we write aV t instead of { ) V aV t. 

The T is a disjunction of splitting atoms, representing the splitting context. 
We assume that r is sorted by -<, with the maximal atom first, and that repeated 
splitting atoms are deleted. If r is empty, we omit it from the clause. 

Similarly we write (-■cri V • • • V -»Jp) V r instead of (-■(Ti V • • • V V e V r. 
The empty clause of the extended calculus is the clause 

( ) VeV±, 



where _L is the empty disjunction. 

Next we define the rules of the calculus . 

Definition 7. The derivation rules of the extended calculus are defined as 
follows: 

CONTEXT: If D{a\, . . . , a„, a) in the original calculus C, then for all splitting 
contexts ri, . . . , r„, 

D^(ai Vn,...,a„ Vr„,aV (n V • • • V r„) ). 

On clauses that are not blocked, we simply apply the rules ofC. The splitting 
contexts of the parents are collected into the splitting context of the new 
clause. 

RESTORE: Let 

c = (-'CTi V • • • V -'(Jp) V aV T 

be a blocked -clause with p > 0. For each i, 1 < i < p, let the clause Ci 
have form Oj V Tj. (It consists only of splitting atoms) It must be the case 
that at is the maximal splitting atom of the clause aiV Ti. If each Ui occurs 
in ai, then we put D^{c, c\, . . . ,Cp,d) for the -clause 

c?=aV(TVTiV---V Tp). 



Definition 8. The redundancy rule is defined as follows: Assume that 
R{o.ip, . . . , ai^mi ; ^1)5 • ■ • ) R{^k,l: • ■ • ; : bk) 

in the original calculus C. If 

-■01,1 V • • • V -'Qi^rni V &1, . . . , ->ak,l V • • • V -'ak,mk V Cl, . . . , c„ ^ c 

in propositional logic, treating the clauses aij, bi (1 < i < k, I < j < mi) as 
propositional atoms, then 



R (ci, . . . ,Cyi,c). 




Splitting through New Proposition Symbols 181 



What this rule says is that the calculus inherits the redundancy from C 
through propositional implication on the splitting literals. We give a couple of 
examples in order to show that Definition [8] does what it is supposed to do: 

Example 3. We show how handles subsumption. Let C be the simple resolu- 
tion calculus. Clause p{X) V q{X) subsumes p(s(X)) V q{s{X)). 

Then [p{X) V g(X)] makes [p(s(X)) V g(s(X))] redundant in , because 

^[p{X) V q{X)] V b(s(X)) V q{s{X))], [p{X) V q{X)] h b(s(X)) V g(s(X))]. 

Similarly [p{X) V g(X)] V a makes [p(s(X)) V g(s(X))] V a redundant, because 
of the propositional implication 

^[p{X) V q{X)] V b(s(X)) V ( 7 (s(X))], [p{X) V q{X)] V a ^ 

[p(s(X)) V g(s(X))] V a. 

In the presence of [p(X)Vg(X)]Va, it is possible to replace [p(s(X))V(;(s(X))] by 
-■q:V[p(s(X))V 9 (s(X))], because [p{X)W q{X)]W a and -laV [p(s(X)) V( 7 (s(X))] 
make [p(s(X)) V < 7 (s(X))] redundant in R^ . This fact follows from the following 
propositional implication 

-^[p(X) V q{X)\ V b(s(X)) V <z(s(X))], 

[p{X) V g(X)] V a, -.a V [p(s(X)) V g(s(^))] h b(s(-^)) V g(s(X))]. 

The following example demonstrates how R^ handles simplification: 

Example 4- If C is the superposition calculus, then the clauses 

Cl = [s(X) X] V a and C 2 = ~Y]\/ j3 

can simplify d = [p(s(X), t(T))] into 

di = [p{X, F)] \/ a\I (3 and ^2 = “’(a V /3) V [p(s(X), <(F))]. 

In order to justify this simplification, we need to show that ci, C 2 , di, ^2 make d 
redundant in . This follows from the implication 

-[s(X) X] V -[t(F) F] V -[p(X, F)] V [p(s(X), <(F))], 

[s(X) X] V a, [t(F) F] V /3, 

[p{X, F)] V a V 13, -.(a V /3) V [p(s(X), t(F))] ^ 

[p(s(X),f(F))]. 

The following example shows how Definition |S]handles splitting through fresh 
literals. 
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Example 5. Suppose we want to split p{X) V q{Y). Both p{X) and q{Y) make 
p{X) V q{Y) redundant in the original calculus C. Because of the implication 

^[p(X)] V [p(X) V q(Y)], -.[q{Y)] V [p{X) V g(F)], 

[p{X)] V a, -.a V [g(F)] ^ 

[p{X)Vq{Y)], 

the clauses p{X) V a and -^a V q{Y) make p{X) V q{Y) redundant in . 

The last example gives a simplification that is allowed by Definition |8| 
Example 6. Suppose there is a clause 



(-'CTi V • • • V -'(Tp) V o V r, 

and one of the splitting symbols in r occurs in one of the ai. Call this splitting 
atom a. Then the clause can be replaced by 

(-■tTi V • • • V -'ct' V • • • V -'<7p) \/ a \/ T. 

where tr' is obtained by deleting a from ai. If cr' is empty, then the clause can 
be removed completely. 

It is clear that all variants of Definition El and Definition El can be handled, 
because the clauses resulting from the split logically imply the original clause. 

Definition 9. A saturated set C of is defined as follows: 

— For each clause c, which is derivable by rule CONTEXT from clauses 
Cl, . . . , c„ G M^, there are clauses di, . . . , dm G M^, such that 

R (di , . . . , dm : e) . 

— For each clause c, which is derivable by rule RESTORE from clauses 
ci,...,c„ G , there are clauses di,.--,dm G that do not contain 
negative X -literals, and 

R (di , . . . , dm , e) 

A set C A^ is a saturation of some set of initial clauses C A^ if it is a 
saturated set of and for each c G , there are di, . . . , dm G , such that 

R (c?i, . . . , dmj c). 

It is necessary to restrict R^ in the definition of a saturated set, because the 
full combination of and R^ would have been incomplete, even when C is 
complete. 

Theorem 2. If has a saturation that does not contain the empty clause, 
then C has a saturation not containing the empty clause. 
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Proof. Let be a saturation of . 

We construct an interpretation M = Mi U M2, s.t. Mi consists of Li-atoms, 
M2 consists of clauses from A, and all clauses of M^ are true in M. A clause 
{-•ai V • • • V -•(Tp) V a V r is true in M, if one of the following holds: 

— For one of the ai, none of the literals in occurs in M\. 

— There are clauses oi, . . . , Um G M2, that make a redundant in the original 
calculus. 

— One of the symbols of r occurs in Mi. 

First put 

Cl = {c G M^ I c has form ( ) V e V r}. 

These are the clauses containing only positive atoms from U. Next put 

C2 = {c G M^ I c has form ( ) V aV a and a yf e}. 

We construct the set Mi from a sequence Aq, Ai, . . . The set of symbols A 
is well-ordered by ^ . Let fci be the ordinal length of -< on A. Write cta for the 
A-th element of E, based on ^ . 

— For a limit ordinal A, put E\ = Uh<a This implies that Aq = { }. 

— For a successor ordinal A -I- 1, put A7 a+i = Aa U {cta} if there is a clause of 
the form (cta V t) G Ci, in which a\ is ^-maximal and cta V r is false in E\. 
If there is no such clause, then put Aa+i = E\. 

— Finally put Mi = ■ 

Each clause Ci is true in Mi and for each symbol a G Mi there is a clause 
c G Cl, such that cr is the maximal literal in c, and a is the unique true literal 
of c. 

M2 is constructed essentially similar to Mi, but there is no need to do an itera- 
tion, because every clause contains at most one clause from A. Let 

EI2 = {o I ( ) V a V r G C2, and r is false in Mi}. 

We want to show that all clauses in are true in M. For the clauses of 
Cl and C2, this is immediate. For the remaining clauses, we use the following 
argument: Let c be a clause of form 



{-•ai V • • • V -'CTp) V aV T, 

with p > 0. Suppose that all are true in Mi. For each at, there is a symbol 
ai G E, such that ai G Mi. There must be clauses 

a± V Ti , . . . , Op V Tp , 

s.t. each ai is maximal in ai V Ti, and each Ti is false in Mi. By rule RESTORE, 
one can derive 



d = a V (r V Ti V • • • V Tp) . 
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There are clauses 6i, . . . , 6^ S Ci U C2, which are true in M, s.t. 

. . ,bm,d). 

Because of this, d must be true in M. Since none of the is true, a V r must be 
true in M. This makes 

(-■CTi V • • • V -'(Tp) V aV T 

true. 

It remains to show that M2 is a saturated set of C and that M2 does not contain 
e. Clearly, by the way M2 is constructed, e ^ M2. 

Suppose that there are clauses ai,...,a„ G M2 from which an inference 
R{ai, ... ,an, a) is possible. There are clauses oi V ti, . . . , a„ V G M^ for 
which the are false. By rule CONTEXT, it is possible to derive 

a V (ti V • • • V r„). 

If we can prove that this clause is true in M, then we are ready, because then a 
must be true. If a is true there must be clauses in M2, that make it redundant. 

Because M^ is a saturated set of , there are clauses di, ... ,dm G M^ , 
which make a V (ri V • • • V r„) redundant. The clauses di, . . . , dm are true in M. 
By definition of redundancy, there exist C-clauses 

Ui^l, . . . , 0.1 ^m^j ^ 5 ■ ■ ■ 5 ^k,rrik 5 ^k ^ 

such that 

• ■ • j ; ^1); ■ ■ ■ 5 R{^k,l: ■ • ■ : ^k.rrik : ^k') : 

and 

-■ayi V • • • V V 61, ... , -iCfc,! V • • • V -^ak,mu V bk, 

di,...,dm h « V (ti V • • • V T„) 

in propositional logic. 

We know already that the clauses di, . . . ,dm are true in M. The other clauses 
~'CLj^i V • • • V V (1 < j < fc) are true by the fact that i? is a transitive 

relation. From this it follows that a V (ri V • • • V t„) is true. 

4 Conclusions 

We have presented a way for simulating search state splitting by splitting through 
new symbols. The method preserves redundancy elimination, what is particularly 
important if one is looking for a saturated set. 

In our method negative splitting literals are always selected, so that they 
block the clause. In fwm] . an interesting alternative was introduced: Simply 
use an 4 -order which makes both the positive and the negative splitting atom 
minimal. In this way, different splitting branches are explored in parallel. Differ- 
ent branches cannot interact, because any inference between clauses of the form 
Cl V a and C2 V -^a will result in a tautology. It would be interesting to see 
if our method of redundancy elimination could be combined with this style of 
splitting. 
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Abstract. We give an algorithm for deciding ^-unification problems 
for linear standard equational theories (linear equations with all shared 
variables at a depth less than two) and varity 1 goals (linear equations 
with no shared variables). We show that the algorithm halts in quadratic 
time for the non-uniform E'-unification problem, and linear time if the 
equational theory is varity 1. The algorithm is still polynomial for the 
uniform problem. The size of the complete set of unifiers is exponential, 
but membership in that set can be determined in polynomial time. For 
any goal (not just varity 1) we give a NEXPTIME algorithm. 



1 Introduction 

Automated Deduction problems frequently involve the use of equational logic. 
Usually, it is necessary to solve some kind of equational unification problem[2. 
These problems can take three forms. The simplest is the word problem, where 
one must decide if two given terms are equivalent modulo an equational theory. 
A more difficult problem is the problem of deciding A-unification, i.e., deciding if 
there is a substitution that will make two terms equivalent modulo an equational 
theory. Finally, it is also sometimes necessary to solve an A-unification problem, 
which means to find a generating set of all the substitutions which make two 
terms equivalent modulo an equational theory. 

All of these problems are undecidable in general. However, it is possible that 
an A-unification problem might be decidable in the equational theory of interest. 
Therefore, an important goal is to classify the equational theories and unification 
problems for which these problems can be solved. If a problem is decidable, it is 
also desirable to know the complexity of the problem. In particular, it would be 
especially useful to classify equational theories in a syntactic way, such that the 
decidability and complexity of these problems are easily known just by examining 
the equational theory^ This paper makes progress in that direction. 

For a long time, one such syntactic class has been known: the class of ground 
equations (no variables). The word problem in this class is decidable in time 
0(n-Zg(n))[ITj. The problem of deciding A-unification is NP complete. [1 2|. Shal- 
low theories are an extension of ground theories, where no variable in an equation 

* This work was supported by NSF grant number CCR-9712388 and ONR grant num- 
ber N00014-01- 1-0435. . 

^ When we refer to an equational theory, we mean a finite presentation of the theory. 
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occurs at a depth greater than one. This class was identified and shown decid- 
able in j4], and also studied in Em. For shallow theories, the word problem 
is decidable in polynomial time, deciding Fi-unification is NP-complete, and the 
number of if-unifiers in a minimal complete set of unifiers is simply exponential. 
See [18] for a simple proof. 

In linear standard theories |8I18| . both sides of each equation are linear, which 
means that no variable occurs twice on a side, and variables that are shared by 
both sides of the equation appear at depth 1 or 0 on both sides. Notice that 
non-shared variables may appear at any depth. The if-unification problem for 
this class has been shown to be decidable, but no complexity results are known, 
even for the word problem. The minimal complete set of if-unifiers has been 
shown to be finite, but a bound is not known. Similar results exist for standard 
theories [IH] and semilinear theories |p]. 

In this paper we give a new technique for finding decidability and complexity 
results for if-unification problems. The technique is based on a simple algorithm, 
given by goal-directed inference rules. We consider linear standard theories. In 
particular, we examine the if-unification problem for goals of varity 1, which 
means that no variable occurs more than once in the goal. This problem is 
simpler than the general if-unification problem, but more difficult than the word 
problem, so all the complexity results we obtain apply directly to the word 
problem. We make a distinction between uniform and non-uniform if-unification 
problems. In the uniform problem, the input contains the goal and the equational 
theory, while the non-uniform problem is parameterized by the equational theory, 
and the input just contains the goal. We show that the complexity of the non- 
uniform if-unification problem is quadratic. Furthermore, if no variable occurs 
more than once in any equation of the equational theory, then the complexity is 
linear. Even in the uniform problem the complexity is still polynomial. 

We show several other results. We define a set of terms, polynomial in size 
such that every term in the range of a substitution in the complete set of E- 
unifiers belongs to that set of terms. Using that and the polynomial complexity 
result, we get some other results that are independent of our algorithm. We 
show how to construct a complete set of E-unifiers whose size is at most simply 
exponential. We also show that it is not possible to do better, because we show 
an example of a ground theory where the varity 1 E-unification problem has a 
simply exponential minimal complete set of E-unifiers. Even though the complete 
set of E-unifiers we construct is exponential, we show that membership in that 
set can be decided in polynomial time. 

Finally, we examine the general E-unification problem for linear standard 
theories, i.e., now the goal is unrestricted. In this case, we show that E-unification 
is decidable in NEXPTIME. The size of a minimal complete set is at most doubly 
exponential, but each term appearing in the range of a substitution in that set 
has linear depth. It is known that E-unification is NP hard, because of the NP 
completeness result for ground theories. So there is a gap here to be filled. 

We would like to give some flavor of our results. The first thing we do in 
this paper is to give a goal-directed inference procedure. We prove that the 
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procedure is sound and complete for any linear theory and varity 1 goal. This 
inference system has interest on its own. It is similar to the inference procedure 
for Syntactic Theories|10|. However, our inference procedure does not require the 
theory to be syntactic. The problem of Eager Variable Elimination is an open 
problem for the inference procedure for Syntactic Theories and other related 
inference systems [61 101 15| . We solve it in our context, given the restriction on 
theories and goals. The only other procedure known to us where Eager Variable 
Elimination has been shown to preserve completeness is in PH. It is an important 
problem to solve because it adds determinism to the procedure. 

After proving the completeness of the inference rules for linear theories, we 
tailor them for linear standard theories. First we show that when an inference 
rules is applied to a varity 1 goal, it remains varity 1. In other words, no variables 
are shared among goal equations, and they can each be considered separately. We 
also give a polynomial size set of terms and show that every equation generated 
is made up of these terms. The inference rules may seem arbitrary, but they were 
designed to allow these two results, which were difficult to obtain for theories 
containing collapse axioms (see Section 3). Since no variable occurs more than 
once in a subgoal. Variable Elimination does not applies. Therefore, there are 
no inference rules that combine goal equations. This means that each inference 
rule can be written as a Horn Clause, with the premise of the inference rule at 
the head and its conclusion as the body. Since we know that only polynomially 
many terms can appear in the inference, we know we only need polynomially 
many instances of the Horn clause, and our complexity results follow from the 
fact that Horn Clause implication is decidable in linear time[^. This process 
is similar to what is done in stably local theories |l6l2l7j . Results about the 
size of the complete set of E-unifiers and the general E-unification problem for 
linear standard theories follow from these results. All missing proofs, lemmas 
and definitions can be found in |13|. 

2 Preliminaries 

We use standard definitions as in |T]. 

Given a unification problem we can either solve the unification problem or 
decide the unification problem. Given a goal G and a set of equations E, to 
solve the unification problem means to find a complete set of E-unifiers of G. 
To decide the unification problem simply means to answer true or false as to 
whether G has an E-unifier. In this paper, we consider both of these problems. 

We say that a term t (or an equation or a set of equations) has varity n 
if each variable in t appears at most n times. An equation s ~ f is linear if s 
and t are both of varity 1. Note that the equation s Ki t is then of varity 2, 
but it might not be of varity 1. A set of equations is linear if each equation 
in the set is linear. For example, the axioms of group theory {{f{x, f{y, z)) ~ 
y),z),f{w, e) Ki w, f{u, i{u)) pz e. are of varity 2. 

If G is a set of equations then we define a path in G to be a sequence of 
equations rti ~ ui, • • • ~ Un from G, such that for all j, 1 < j < n, Uj fa Vj € G 
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or Vj ~ Uj € G, and for all i, 1 < i < n, Vars{vi) r\Vars{ui+\) yf 0. In addition, 
we require that if rt Ri u is in G but u ~ ti is not, then they cannot both appear 
in the path. We call the path a cycle if Vars{ui) fl Vars{vn) yf 0. For example, 
the sequence /(xi,X 2 ) ~ g{x 3 ), f{x 3 ,Xi) ps gix^), f{xe,X 5 ) ps g{x 2 ) is a cycle. 
Note that a single equation u pe v forms a cycle if u and v have any variables in 
common. If G has a cycle, we say that G is cyclic. 



3 Inference Rules 

We give a set of inference rules for finding a complete set of if-unifiers of a goal 
G, and later we prove that for a linear equational theory E, every goal G of 
varity 1 and substitution 6 such that E ^ GO can be converted into a normal 
form which determines a substitution more general than 9. The inference rules 
decompose an equational proof by choosing a potential step in the proof and 
leaving what is remaining when that step is removed. 

We define solved equations recursively. An equation a; ~ t in a goal x ~ t U G 
is solved if x does not appear in an unsolved equation in G — {x ~ t}. Then x 
is called a solved variable. We define the unsolved part of G to be the set of all 
equations in G that are not solved. 

As in Logic Programming, we have a selection rule. For each goal G, we don’t- 
care nondeterministically select a unsolved equation u p^ v from G. We say that 
u PS v is selected in G. If all equations in G are solved, then nothing is selected, 
G is in normal form and a most general A-unifier can be easily determined. 

The inference rules are given in Figure [TJ Except for Mutate, these are the 
usual inference rules for syntactic unification. We assume that the equational 
theory is consistent, i.e., that it has no equations of the form t ps x with x ^ t. 
Therefore, in the Mutate-2 rule, /(si, • • • , Sp) must contain x. In that case, we 
call /(si,---,Sp) ~ X a collapse axiom. So, Mutate-2 and Mutate-3 are only 
applicable in theories containing collapse axioms. 

The Mutate- 1 rule is so-called because it is similar to the inference rule 
Mutate that is used in the inference procedure for Syntactic Theories 1 101. The 
rule assumes that there is an equational proof of the goal equation with at least 
one step at the root. If one of the equations in this proof is s ps t then that breaks 
up the proof at the root into two separate parts. We see from the inference rules 
that this rule is applicable if the last step at the root is not a collapse axiom 
with a variable on the right hand side. Otherwise, Mutate-2 or Mutate-3 will 
apply. Mutate-2 is applicable if there is a step at the root that is not a collapse 
axiom with a variable on the right hand side. Otherwise, Mutate-3 is applicable. 

Notice that the Mutate-1 rule decomposes /(ti, • • • , t„) ~ f{vi, ■ ■ ■ , u„). The 
Mutate Rule for Syntactic Theories also decomposes m ~ s. However, that is 
only complete for Syntactic Theories. Our inference procedure is not just for 
Syntactic theories, and decomposing m ~ s is not complete in our case. 

We will write G — >■ G' to indicate that G goes to G' by one application of 
an inference rule. Then — > is the reflexive, transitive closure of — >. 
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Decomposition: 

{/(Sl,- ■ -,Sn) ~ 





{si « ti, ■ ■ ■ , U G 


Mutate 1: 


{U « /(«!,■ • • ,Wn)} U G 


{ 


M « S, G « m, • • • , « Vn} U G 


where s ^ f{ti, ■ ■ ■ 


,tn) £ F.00 


Mutate 2: 


{u « u} U G 


{u R 


i s, ti « Si, ■ ■ ■ , tp « Sp, a; « u} U G 


where s ^ f{ti, ■ ■ ■ 


f {^ll 1 Sp) ~ ^ ^ 


Mutate 3: 


{/(ui, • ■ • ,Um) « u} U G 


{Ul « Sl, • • • « Sm,X « «} U G 


where /(si, ■ ■ ■ , Sm 


) oi X £ E. 


Variable Elimination: 




{xftit}uGuH 
{a; « t} U G[x t]U H 


where x € G, G is 


unsolved, and H is solved. 


Orient: 






^ ^ where t is not a variable. 

«t}uG 


Trivial: 


{t « t} U G 
G 


“ To be exact, s « t is renamed to have no variables in common 
the goal. 

^ For simplicity, we assume that E is closed under symmetry. 



Fig. 1. The inference rules 
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We want our inference rules to be applied deterministically or don’t-care 
nondeterministically whenever possible. Therefore, we allow the Trivial, Orient 
and Variable Elimination rules to be performed eagerly. It is usual in inference 
systems for the Trivial and Orient rules to be performed eagerly. However, it is 
an open question in many inference systems whether the Variable Elimination 
rule can be applied eagerly. Since we restrict our inference rules to the case where 
E is linear and G is of varity 1, we can prove the completeness when Variable 
Elimination is performed eagerly. Eager inferences are a form of determinism, 
because when inferences are performed eagerly, that means that there is no need 
to backtrack and try other rules. 

Inferences must be performed on a selected equation. This selection is a 
source of don’t-care non-determinism in our procedure. However, there are still 
some sources of don’t-know nondeterminism. If Decomposition and a Mutate 
rule (or two different Mutate rules) are both applicable to the selected equation, 
we don’t know which one to do, and therefore have to try them both. Similarly, 
there may be more than one equation we can use in order to perform a Mutate 
rule on the selected equation. In that case, we must also try all the possibilities. 

We will prove that the above inference rules solve a goal G by transforming 
it into normal forms representing a complete set of E-unifiers of G. 

In order for the final result of the procedure to determine a unifier, it must 
not be cyclic. We will consider a goal G of varity 1 and a set of linear equations. 
Since G is of varity 1, it is not cyclic. We show that property is preserved. 

Lemma 1. Suppose that E is linear and G — > El . If G is of varity 2, each 
term in G is of varity 1 and G is not cyclic, then H is of varity 2, each term in 
H is of varity 1 and H is not cyclic. 

A goal G is in normal form if the equations of G are all of the form x k, t, 
where x is a variable, and the equations of G can be arranged in the form 
{x\ K. ti, - ■ ■ ,Xn ~ tn} such that for all i < j, Xi is not in tj. Then define Oq 
to be the substitution [x\ >->■ ti][x 2 >->■ ^ 2 ] • • • i-T tn]. 9c is a most general 
E-unifier of G. Notice that if a noncyclic goal has no selected equation, then the 
goal is in normal form, since Variable Elimination is applied eagerly. 



4 A Bottom Up Inference System 

In order to prove the completeness of this procedure, we first define an equational 
proof using Congruence and Equation Application rules. We prove that this 
equational proof is equivalent to the usual definition of equational proof, which 
involves Reflexivity, Symmetry, Transitivity and Congruence. 

We will define a bottom-up inference system for ground terms, using the 
following rules of inference from a set of equations closed under symmetry: 

Si ~ * * * Sn ~ tn 

/(■Si ; ■ ■ ■ ) Sn) ~ / (tl , ‘ ' ,tn) 



Congruence: 
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Equation Application: , 

U K. V 

if s K, t is a ground instance of an equation in E. 

For Congruence n > 0. In the special case where n = 0, / is a constant. 

We define E \- u ~ v li there is a proof oi u ~ v using the Congruence and 
Equation Application rules. If tt is a proof, then \t:\e is the ordered pair (m,n), 
where m is the number of Equation Application steps in tt and n is the number 
of Congruence steps. These ordered pairs are compared lexicographically, and 
addition is defined by components, i.e., (m,n) + (p,q) = {m + n,p+q). \u ~ v\e 
is the pair (m, n), which is the minimum \'k\e such that tt is a proof ol u~ v. 

We need to prove that {m ~ u | if h m ~ u} is closed under Reflexivity, 
Symmetry and Transitivity Also, we need to prove that certain rotations of a 
proof can be done without making the proof any larger (see |1 MJ). 

Theorem 1. If u and v are ground and E \= u v, then if h u ~ u. 



5 Completeness 

In this section, we will state the completeness of the inference rules given in 
Figure [T] where E is linear, and G is of varity 1. See [T^ for the proof. First 
we define a measure on the equations in the goal, which will be used in the 
completeness proof. 

Definition 1. Let E be an equational theory and G be a goal. Let 9 be a sub- 
stitution such that E (= GO. We will define a measure p, parameterized by 9 
and G. Let m (resp. q) be the sum of all the first (resp. second) components of 
\u9 pz v9\e, where u~ v is an unsolved equation of G. Let n be the number of un- 
solved variables in G. Let p be the number of equations of the form t k, x, where 
X is a variable and t is not. Then Define p{G,9) to be the quadruple (m,n,q,p). 
We will compare these quadruples lexicographically. 

Now we come to the completeness theorem, which says that every if-unifier 
can be gotten from our algorithm. The proof of the theorem shows that if there 
is a goal which is not in normal form, then an inference can be performed to 
reduce the measure of the goal. Variable Elimination, Orient and Trivial always 
reduce the measure of the goal. 

Theorem 2. Suppose that E is an equational theory, G is a set of goal equa- 
tions, E is linear, G is of varity 2, every term in G is varity 1, G is not cyclic, 
and 9 is a ground substitution. If E \= G9 then there exists a goal H in normal 
form such that G H and 9 h <e 9[Var{G)]. 

Corollary 1. Suppose that E is an equational theory, G is a set of goal equa- 
tions, E is linear, G is of varity 1, and 9 is a ground substitution. If E \= G9 
then there exists a goal H such that G H and 9 h Ab 9\Var{G)]. 
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6 Linear Standard Theories 

In this section we consider Linear Standard (LS) theories. 

Definition 2. An equation v is LS if u and v are linear, and every variable 
that is shared by u and v is at depth 1 or 0 in u and also at depth 1 or 0 in v. 
A set of equations E is LS if every equation in E is LS. 

For example, f{g{h{xi)),X 2 ,h{g{xz)),XA) ~ k{x 2 ,X 4 ,k{x 5 ,a,XQ)) is LS. So 
is the the collapsing equation f{x) « x. Some examples that are not LS are 
f{x,x) « g{a) and f{x,f{y)) « g{y). The first one is not LS because f{x,x) is 
not linear. The second one is not LS, because y appears on both sides, but is at 
depth 2 on the right side. 

Throughout this section, we will refer to equational theories E that are LS 
and goals G that are varity 1. We consider the if-unification problem for such 
theories and goals. For simplicity, since no variable is repeated in a goal, we 
will consider goals consisting of a single equation, because each equation can be 
if-unified separately, and the results can be combined. 

We have defined inference rules for linear theories, and shown their com- 
pleteness and soundness. For LS theories and varity 1 goals, we will derive an 
algorithm that always halts, and show therefore that this kind of if-unification 
is decidable, and then analyze its complexity. 

In our completeness result, we proved that Variable Elimination and Orient 
and Trivial can be performed eagerly. Therefore, we will refer to Mutate-|- infer- 
ence rules (Mutate 1-I-, Mutate 2+ and Mutate 3-I-). These inference rule will 
consist of Mutate, plus some eager Variable Eliminations. 

Mutate 1-|-: 

{uKi /(ui,---,u„)}uG 
{■u « scr, « Vi, • • • , « Vn} U G 

where s « /(ti, • • • , tn) G E and a = {tj i — vj \ tj G Vars, 1 < j < n}. 

Mutate 2-|-: 

{u « u} U G 

{u « sa, « si, • • • , ti « V, • • • , tp « Sp, a; « u} U G 

where s « /(G, • • • , tp), /(si, • • • , Sp) ^ x € E, Si = x, and a = {tj i — sj \ tj G 
Vars, 1 < j < n}. 

Mutate 3-|-: 

{/(m1,- ■ ■ ,Um) » u} U G 

{■Ui « Si, • • • , Uj « V, • • • , Mm « Sm, a; « w} U G 

where /(si, • • • , Sm) ^ x € E and Si = x. 

Next we prove that the property that the unsolved part of a goal is varity 
1 is preserved by the inference rules. Recall that this means that no variable is 
repeated anywhere else in the entire goal. 
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Lemma 2. Let G he a goal such that the unsolved part of G is of varity 1, and 
E is LS. Suppose G — > G' . Then the unsolved part of G' is of varity 1. 

Furthermore, suppose that no variable appears more than twice in G, and any 
variable y that does appear twice in G appears in a term t in a solved equation 
of the form x ps t with x a variable from E. Then the same thing is true in G' 

Corollary 2. Suppose E is LS. Lf G is of varity 1, and G G' , then the 
unsolved part of G' is of varity 1. Furthermore, the Variable Elimination rule is 
not used in the derivation of G' , except as part of a Mutate+ inference rule. 

Next, we give a description of what terms can appear in a derivation. First 
we give a recursive definition of a decomposition of an equation u « v 

Definition 3. Decomposition of an equation ups v is defined recursively as 

1. v is a decomposition of u « u. 

2. Lf s PS t is a decomposition of u ^ v then t ps s is a decomposition of u « w. 

3. Lf f{ui, ■ ■ ■ , Un) « /(ui, • • • , Vn) is a decomposition of u ^ v then Ui « Vi is 
a decomposition of t6 « w for all i, 1 < z < n. 

For example, the equation f{g{x),h{y)) « f{g{h{a)),f{z)) has four decompo- 
sitions. They are f{g{x),h{y)) « f{g{h{a))J{z)), g{x) « g{h{a)), h{y) « f{z) 
and X « h{a). Notice that if s « t is a decomposition of zz « u then there exists 
a position z such that u\i = s and v\i = t, or v\ = s and u\i = t. 

Decompositions of the goal can appear in a derivation. We need some more 
definitions before we can say what else can appear in a derivation. 

Definition 4. — St(t) is the set of all subterms oft. St(s « t) = St(s)USt(t) . 

St{E) = U{5't(e) \e€E}. 

— Pr{f) is the set of all proper subterms of t. Pr{s « t) = Pr{s) U Pr{f). 
Pr{E) = \J{Pr{e) \e£E}. 

— Im{t) is the set of all immediate subterms oft, i.e., F G Jm(/(ti, • • • , t„)) 
for all i, 1 < z < n. 

— Renft) is the set of all renamings (variants) oft 

Some instances of terms can appear in the derivation, called shallow instances, 
because only the shared shallow variables are instantiated. 

Definition 5. s G Sh{t,E,u) (s is a shallow (t,E) instance of u) if there is a 
variant v! « v' of an equation u v € E and a substitution a such that 

1. The domain of a is the set of all shared variables in u' « v' . 

2. Ran{a) C Lm{t) U Ren{Pr{E)). 

3. s = u'a. 

s G Sh{t,E) if there is a u such that s G Sh{t,E,u). 

For example, suppose that t is f{h{x, y), f{c, d)), and E is {g{h(x, y), z, w) « 
f{z, w),h{f{a, x),y) ^ f{y, g{a, a, b))}. Then g(h(x', y'),z', w') and 
g{h{x',y'),h{x,y),f{a,x'')) are both shallow (t,E) instances of g{h{x,y), z,w). 
The next definition shows what can appear in a derivation. 
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Definition 6. — s £ Der{E, e) if there is a t in St{e) with a symbol from E 

as its top symbol, such that s £ Im{t) U Ren{St{E)) U Sh{t, E). 

— s ~ s' £ Der{E, e) if s and s' are in Der(E, e). 

— G £ Der{E, e) if every s s' € G is in Der{E, e) . 

We need a small proposition about this definition. 

Proposition 1. Let s £ Der{E, e). There there is at G St{e) such that Im{s) C 
Im{t) U Ren{Pr{E)). 

From Proposition [I] we see that all immediate subterms (and therefore all 
subterms) of a term in Der{E,e) are also in Der{E,e). 

We prove that only those kinds of equations can appear in a derivation. 

Lemma 3. Let E be LS. Let G be varity 1 and G £ Der(E, e). Suppose G — > 
G' . Then G' £ Der{E,e). 



Corollary 3. Suppose E is LS. If e is of varity 1, and e — > G' , then G' £ 
Der{E, e). 

We get a better complexity result when the equations of E are varity 1. 

Lemma 4. Let E be varity 1. Let G be varity 1. Suppose G — > G' . Suppose 
that every side of an equation in G is in Ren{St{E))U Im(t) for some t £ St{e). 
Furthermore, suppose that each equation in G is a Decomposition or one side is 
in Ren{St{E)). Then G' has those same properties. 



Corollary 4. Suppose E and G are varity 1. If e — ^ G' , Then every side of an 
equation in G is in Ren{St{E)) U Im{t) for some t £ St{e). Also, each equation 
in G is a Decomposition or one side is in Ren{St{E)). 

Since we have shown that Variable Elimination is not applicable, all of our 
inference rules can be expressed as Horn clauses, where the head of the clause 
is the selected literal, and the body is the result of the inference on the selected 
literal. In fact the variables which are introduced in the body of the Horn clause 
can be skolemized, again because of the fact that the Variable Elimination rule 
is not applicable. We define a Skolem function Sk which turns a variable into 
a constant, i.e., Sk{f) = t9, where 9 = {x ^ c \ x G Vars{t)}. Note that every 
variable maps to the same constant, since the constant is not important. We also 
add Horn clauses to eliminate solved variables. Therefore, the inference rules are 
expressed by the following Horn clauses. 

Decomposition, Orient and Trivial are expressed as: 

f{xi,-- ■ ,Xn) ^ f{yi,-- ■ ,yn) Xi ^ yi, - ■ ■ ,Xn^ Vn 
y ^ y Ki c 

X X G- 



196 C. Lynch and B. Morawska 



The Mutate 1+ rule is: 

^ (j/~ Sa,ti !iiXn)0 

where s ~ /(<i, • • • , <„) € E, a = {tj i— >■ xj \ Sj € Vars,l < j < n}, and 
9 = {x' !->■ c I x' G Vars{s ~ /(ti, • ■ • ,tn)- 
The Mutate 2+ rule is: 

y ^ z ^ {y Ki sa,ti Ki si, - ■ ■ ,ti ^ z, - ■ ■ ,tp Ki Sp,x Ki z)9 

where s pz f{ti,---,tp),f{si,---,Sp) fz x e E, Si = x, a = {tj H> Sj \ Sj G 
Vars, I < j < n}, and 6 = {x' !->■ c | x' G Vars{s ~ /(ti, • • • , tp)) U 
Vars{f{si,---,Sp) Ri x). 

The Mutate 3+ rule is: 

/(xi, • • • , Xm) ^ y ^ (xi Ki Si, - ■ ■ ,Xi PZ V, - ■ ■ ,Xm ^ Sm,X v)0 

where /(si, • • • , Sm) ~ x G S, si = x, and 
6» = {x' !-)■ c I x' G Vars{f{si, ■■■ ,Sm) ^ x)}. 

We also add an inference rule to remove solved variables: 

CKiy^ 

Therefore, each equational theory E determines a particular set of Horn 
clauses. Let us denote this set of Horn clauses as HC{E). Note that the equality 
in these Horn clauses is now interpreted just as a binary predicate symbol with 
no special meaning. We have the following result: 

Theorem 3. Let e be a goal of varity 1 and E he LS. Then e is E-unifiable if 
and only if there is an SLD derivation of Sk{e) in HC{E). 

Corollary 5. Let e be a goal of varity 1 and E be LS. Then e is E-unifiable if 
and only if HC{E) |= Sk{e) 

We notice that only certain ground instances will arise in the SLD refutation. 
Let HC{e,E) be the set of all instances of HC{E) such that the head of the 
clause is in Sk{Der{E,e)). Then we have the following theorem: 

Theorem 4. Let e be a goal of varity 1 and E he LS. Then e is E-unifiable if 
and only if there is an SLD derivation of Sk{e) in HC{e,E). 

Corollary 6. Let e be a goal of varity 1 and E be LS. Then e is E-unifiable if 
and only if HC{e, E) \= Sk{e) 

Finally we have the decidability and complexity theorem of if-unification for 
varity 1 goals in LS theories!! 

Theorem 5. Suppose that E is LS and e is varity 1. Then 

1. It is decidable in polynomial time whether e is E -unifiahle. 

2. If E is considered constant, then it is decidable in 0(|ep) whether e is E- 
unifiahle. 

3. If E is considered constant, and all equations in E are varity 1, then it is 
decidable in 0(|e|) whether e is E-unifiahle. 

Note: |e| refers to the size of e (number of symbols). 



2 
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7 Most General ^^-Unifiers 

In this section we extend our results on LS theories and varity 1 goals to examine 
how efficient it is to compute a complete set of if-unifiers. First, we show that, 
there is a complete set of unifiers such that the range of every substitution in the 
set only contains terms from Der{E,e). This result, along with the polynomial 
time algorithm for deciding if-unifiability leads us to all the rest of the results 
of the section, which are independent of the algorithm we have given. 

We show that there is a complete set of if-unifiers no bigger than simply 
exponential. However, we give an example of a ground theory where the size of 
the minimal complete set of if-unifiers is simply exponential. So the bound is 
tight. Even though the size can be exponential, it still has some nice properties. 
We define a complete set of E-unifiers CSUe{u ~ v), and show that given a 
substitution cr, it can be decided in polynomial time whether a € CSUe{u ~ v). 

Using those results, we finally move to the general E-unification problem for 
LS theories. In other words, we no longer restrict ourselves to varity 1 goals. 
We give a NEXPTIME algorithm for deciding unifiability. It is known that E- 
unification is NP hard, even for ground theories [18] . This leaves us with a gap 
for the actual complexity of the problem. The complete set of E-unifiers that we 
construct may be doubly exponential in size. However, all terms appearing in a 
substitution in the complete set of E-unifiers have depth linear in the maximum 
of the depths of the terms in the goal and the equational theory. 

First we show that it is decidable in polynomial time if a is an E-unifier 
oi u K, V We will define Gr{u ~ v) to be an instance oi u ~ v such that each 
variable in u Ri u is replaced by a different new constant. 

Theorem 6. Let E he LS. Then it is decidable in polynomial time whether a 
is an E-unifier of v. 

The next result in this section refers to the earlier completeness results. 

Theorem 7. Suppose E is LS and u^vis of varity 1. Then there is a complete 
set of E -unifiers 0 of u pc v such that if a € 0 then Ran{a) C Der{E,e). 

Using that result, we can show that there is a complete set of E-unifiers with 
at most simply exponentially many members. 

Theorem 8. Lf E is LS and u k, v is varity 1 then there is a simply exponential 
size complete set of E -unifiers of u~ v. 

There are goals which have simply exponential sized minimal complete sets 
of E-unifiers, even in ground theories, so this is a tight bound. 

Theorem 9. There is a ground theory E and a goal u k, v of varity 1, such 
that every minimal complete set of E -unifiers of u ~ v has exponentially many 
members. 

A complete set of E-unifiers of u ~ u can be described as follows: CSUe{u ~ 
v) = {<J \ Dom(a) = Vars{u ~ v),Ran(a) C Der{E,e), and a is an E-unifier 
of u ~ u }. We can decide in polynomial time whether a given tr is a member of 
CSUe{u ~ v). 
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Theorem 10. Let E be LS, and e be varity 1. Let a be a substitution. Then it 
is decidable in polynomial time if a € CSUE{e) 

Finally, we move to the most general case of if-unification, where E is LS 
but the goal e is not necessarily varity 1. It can be in any form. 

Theorem 11. Let E by LS and e be a goal. Then 

1. E -unification for e is decidable in NEXPTLME. 

2. There is a complete set, 0, of E-unifiers of e which is of doubly exponential 
size. 

3. Every term appearing in the range of a substitution of 0 has depth linear in 
the maximum depth of the terms in E and e. 

8 Conclusion 

This paper presents a new technique for showing decidability and complexity 
results for if-unification problems. It makes it easy to analyze what forms of 
subgoals will arise from the initial goal equation. That can give useful information 
used to make the procedure halt, and then an examination of what kinds of 
equations are generated allows us to determine the complexity. 

One application of the results of this paper is for approximating if-unification 
problems. For any theory and goal, we can rename all the variables in the theory 
and goal to new variables until they are varity lH As we showed, a linear time 
algorithm can be run on the new problem, and if the algorithm says “not E- 
unifiable”, then that is also true of the initial A-unification problem. This is 
useful in the context of automated deduction problems that require lots of E- 
unification, and would allow a quickly discarding many A-unification problems. 

There are some relationships with some of our other papers. In we gave 
a goal directed inference system for A-unification in a similar style. The method 
of showing soundness and completeness in that paper is similar to the method 
in this paper. However, this time the inference system is different, and the Eager 
Variable Elimination rules make the proof more difficult. That paper had no 
decidability or complexity results. 

Another recent work of ours[l4] also develops decidability and complexity 
results for a class of equational theories and goals of varity 1. However, the class 
of problems in that paper is not a syntactic class, and the complexity results are 
not as good. We have actually shown in this paper that Linear Standard theories 
are in that class, because any A-unification problem whose goal contains only 
subterms of E or general terms will have a complete set of E-unifiers, such that 
the range of every substitution in the complete set only contains goal terms. 

We would also like to compare our work to other recent works, which show E- 
unification decidable for syntactic classes such as linear standard theories. 

II 8|9j . There are three basic approaches to the problem: saturation based theorem 

® This is more renaming than necesary, because it removes all variables shared by both 
sides of an equation. 
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proving methods like completion [TsU], tree automata techniques |3l8lj . and goal- 
directed inference rule methods |4]. Actually, j9] shows a relationship between 
their saturation methods and tree automata techniques. The methods of [4j are 
quite different from ours, even though they both use goal directed inference 
rule methods. One difference is that |4] saturate E by completion-like inference 
rules to make it syntactic. We do not do that, since our inference procedure is 
not limited to Syntactic Theories. In fact, all of the methods except ours pre- 
process E using something like completion. Therefore our method benefits from 
a memoization technique (as opposed to dynamic programming) that the other 
methods may not benefit from. On the other hand, there is one thing that all 
the methods share in common. They all are based on the fact that only certain 
terms will appear during the procedure. 

Most of those other techniques have been used to show decidability results. 
Complexity results and bounds on the size of the minimal complete set of uni- 
fiers are not usually addressed. However, these issues are addressed quite nicely 
for shallow theories in [18j . The main benefit of our paper is to focus more on 
complexity. Our quadratic bound is interesting, because the results on shallow 
theories give a polynomial bound for the word problem, but not the exact poly- 
nomial. We suspect that the techniques used in this paper to analyze complexity 
could be used in other methods. We also discuss if-unification for varity 1 goals. 
There is a mention of if-unification for varity 1 goals in shallow linear theories 
in , where they give a simple decidability result using tree automata. 

Since we reduced our if-unification problem to a Horn clause implication 
problem, and then showed only certain instances of the Horn Clauses are neces- 
sary for the derivation, it is natural to ask whether these Horn clauses are stably 
localjT], i.e. if variables only need to be substituted by terms appearing in the 
theory and goal. The presented Horn clause theory is not stably local, but if the 
single variables appearing in the horn clause were replaced by all possible terms 
of the form /(xi, • • • , cc„), then the theory would be stably local. The initial 
equational theory is not stably local, because the shallow instances take us out 
of the set of subterms, and also because the shared variables may need to unify 
with terms that are not even in Der{E, e). 

We plan to extend the algorithm and techniques presented in this paper 
to get other decidability and complexity results. We would like to know what 
other classes can be shown decidable and efficient using this method. We have 
already started analyzing other syntactic forms of linear theories. But we also 
will consider non-linear theories. We left a gap in the complexity results for 
general A-unification of linear standard theories, which needs to be filled. Also, 
we are interested in finding better ways of approximating equational theories. 
Finally, there should be a closer examination of the relationship between our 
goal-directed method and the saturation-based and tree automata methods. Can 
our complexity techniques be used there? Maybe all these methods are encodings 
of the same process. 
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Herbrand’s Theorem for Prenex Godel Logic and Its 
Consequences for Theorem Proving* 
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Technische Universitat Wien, Austria 



Abstract. Herbrand’s Theorem for G^, i.e., Gddel logic enriched by the projec- 
tion operator A is proved. As a consequence we obtain a “chain normal form” 
and a translation of prenex into (order) clause logic, referring to the classical 
theory of dense total orders with endpoints. A chaining calculus provides a basis 
for efficient theorem proving. 



1 Introduction 

Fuzzy logic formalizes reasoning in the context of vague (imprecise) information. (See 
the introduction of |[2T1 .) Automated reasoning in first order fuzzy logic(s) is a hig 
and important challenge. Among the three fundamental fuzzy logics — Lukasiewicz 
logic L, Product logic P, and Gddel logic Goo — only Goo (also called “intuitionistic 
fuzzy logic” ||26l ) is recursively axiomatizahle (see ||2T1 ). In fact, even Gddel logic is 
incomplete if either certain “0-1-relativizations” are added to the language (see ||4]) or 
the topological structure of the truth value is changed (see [5]). In any case, in contrast 
to propositional logics, efficient proof search at the (general) first order level seems to 
be beyond the current state of the art, if possible at all. Thus it is reasonable to consider 
natural, non-trivial fragments. 

Here we focus on the prenex fragment of G^; i.e., Goo enriched by the relativisa- 
tion operator A. A allows to make “fuzzy” statements “crisp” by mapping AP to the 
distinguished truth value 1 if the value of P equals 1, and to 0 otherwise. (See 0411 111 
and SectionEl below, for more information about A.) 

We demonstrate (in Section [T]) that Herbrand’s Theorem holds for G^. This has 
important consequences not only from a theoretical point of view, but also for automated 
proof search. Indeed, we will use Herbrand’s Theorem to show (in Section O that all 
prenex formulas P from G^ can be translated faithfully and efficiently (in linear time) 
into corresponding sets of “order clauses”. The latter are classical clauses with predicate 
symbols < and < interpreted as total dense orders (strict and refiexive, respectively). 
“Chaining calculi” for efficient deduction in such a context have been introduced (among 
others) in IILjll4ll . We will focus on one of these calculi (in Sections |5} and argue (in 
Section!?!) that it is a suitable basis for handling translated formulas from prenex G^; 
in particular for the monadic fragment of prenex G^, which we will also show to be 
undecidable. See [EOl for another approach applying chaining techniques to deduction 
in many-valued logics. 
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Another consequence of Herbrand’s Theorem for is the existence of a “chain 
normal form” for prenex formulas. This is investigated in Section^] 

2 Preliminaries 

First-order Godel logics Goo, sometimes also called intuitionistic fuzzy logic ll26l or 
Dummett’s LC (eg. in mm , referring to (T^), arises from intuitionistic logic by adding 
the axiom of linearity (P D Q) V (Q D P) and the axioms \fx{P{x) V D 

(VxP(x))VQ^^^ andBx(P(x)VQ^^^) D (BxP(x))VQ^^^ (V-shift), where the notation 
indicates that x does not occur free in A. Semantically Godel logic is viewed as 
infinite-valued logic with the real interval [0, 1] as set of truth valued. 

An interpretation X consists of a non-empty domain D and a valuation function valx 
that maps constants and object variables to elements of D and n-ary function symbols 
to functions from P" into D. valx extends in the usual way to a function mapping 
all terms of the language to an element of the domain. Moreover, valx maps every 
n-ary predicate symbol p to a fuzzy relation, i.e., a function from P" into [0, 1]. The 
truth- value of an atomic formula {atom) A = p(ti, ... , fn) is thus defined as 



-■A and A B are abbreviations for A D _L and (A D P) A (P D A), respectively. 

To assist a concise formulation of the semantics of quantifiers we define the 
distribution of a formula P and a free variable x with respect to an interpretation I as 

def 

Distrx(P(x)) = {valx'(P(a:)) | X' 21}, where I' ^x 21 means thatP' is exactly as 
X with the possible exception of the domain element assigned to x. The semantics of 
quantifiers is given by the infimum and supremum of the corresponding distribution: 



valx((Va;)P(a;)) = inf Distrx(P(a:)) valx((3x)P(a;)) = supDistrx(P(a:)). 
Following O we extend Goo with the “projection modalities” v and A: 



A formula P is called valid in G^ — we write: |=qaP — if valx(P) = 1 for all 
interpretations X. 

Whereas yP can already be defined in Goo as -iP, the extension including A, 
called G^ here, is strictly more expressive. A allows to recover classical reasoning 
inside “fuzzy reasoning” in a very simple and natural manner: If all atoms are prefixed 

' For more information about Godel logic — its winding history, importance, variants, alternative 
semantics and proof systems — see, e.g., 1 1I214I517I8I91 1011 II 1211 61 171 18121 1221261 . 



valx(A) = valx(p)(valx(A), . . . , valx(t„)). 

For the truth constants A and T we have valx(A) = 0 and valx(T) = 1. 
The semantics of propositional connectives is given by 




1 valx(Q) otherwise , 
valx(P A Q) = min(valx(P), valx(Q)) 
valx(P V Q) = max(valx(P), valx(Q)). 



1 if valx(P) < valx(Q) 
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by A then coincides with classical logic. However, the expressive power of A goes 
much beyond this. In particular, observe that A3xP{x) D A P{x) is not valid in 
G^. In fact, as shown in 0, G^ is not even recursively axiomatizable if a certain 
“relativization operator” is present. (The recursive axiomatizahility of G^ itself still 
seems to be an open problem; compare JT].) This motivates the interest in fragments 
of G^ in the context of effective theorem proving. A natural (syntactically simple) and 
non-trivial (see helow) fragment of G^ is prenex G^, i.e., all quantifiers in a formula 
are assumed to occur at the left hand side of the formula. 

Remark 1. Whereas the prenex fragment of intultionistic logic is PSPACE-complete 
da, prenex G^ is undecidahle. In fact, we will show in Section [7] that prenex G^ is 
already undecidahle for signatures with only monadic predicate symbols and no function 
symbols. On the other hand — like in intuitionistic logic — quantifiers cannot he shifted 
arbitrarily in Goo and G^. In other words, arbitrary formulas cannot be reduced to 
provably equivalent prenex formulas (in contrast to classical logic). 



3 Herbrand’s Theorem 

In this section we show how to effectively associate with each prenex formula P of G^ 
a propositional (variable free) formula P* which is valid if and only if P is valid. 

Definition 2. Let QiPi . . with G {V, 3} be a (prenex) formula, where 

P is quantifier free. Its Skolem form, denoted by 3xP^ (®)0 is obtained by rewriting 
3AIuQ{'z, u) to 3zQ(z, f(z)) as often as possible. 



Lemma 3. Let P be a quantifier free formula: 

Qi2/1 • • ■ ^nynP{yif ■ ■ ■ 5 i/n) ^ 3xP ( 3 ^). 

Proof. Follows from the usual laws of quantification. □ 

Let P be a formula. The Herbrand universe U (P) of P is the set of all ground terms 
(those with no variables) which can be constructed from the set of function symbols 
occurring in P. To prevent U(P) from being finite or empty we add a constant and a 
function symbol of positive arity if no such symbols appear in P. The Herbrand base 
B{P) is the set of atoms constructed from the predicate symbols in P and the terms of 
the Herbrand universe. A Herbrand expansion of P is a disjunction of instances of P 
where free variables are replaced with terms in P(P). 

Remark 4. We make use of the fact that the truth- value of any formula P of G^ under 
a given interpretation only depends on the ordering of the respective values of atoms 
occurring in P. 



Lemma 5. Let P be a quantifier-free formula. 3xP(x) then there exist tuples 

t\, . . . of terms in U (P), such that [=qa 

^ The notation hides the fact that the Skolem form also depends on the quantifier prefix. However, 
below, the context will always provide the relevant information. 
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Proof. Let Ai, A 2 , ... be a non-repetitive enumeration of (the infinite set) B{P). We 
construct a “semantic tree” T ; i.e., a systematic representation of all possible order 
types of interpretations. T is a rooted tree whose nodes appear at levels. Each node at 
level £ is labelled with an expression, called constraint, of form 

= 0 Nq Ml . . . 1, 

where Ml is either = or < and tt is a permutation of {!,... ,£}. We say that an 
interpretation I of P{x) fulfills the constraint cj if 

0 Mg valx(2l,^(i)) Mil . . . \Ai_i valx(A^(£)) Ml^ 1 
holds. We say that the constraint cj_|_i 0 Mlg ^ 7 r'(^+i) ^t+i 1 

extends cj if every interpretation fulfilling c^_,_i also fulfills cj. 

T is constructed inductively as follows: 

- The root of T is at level 0 and is labelled with the constraint 0 < 1. 

- Let jz be a node at level £ with label cj. If for all interpretations X that fulfill cj we 
have valx(P(f)) = 1 for some instance P{i) of P{x), where the atoms of P{f) are 
among Ai, . . . , Ag, then jz is a leaf node of T. Otherwise, for each constraint 
that extends cj a successor node o' labelled with this constraint is appended to o 
(at level £ + 1). 

Observe that for all interpretations X of B{P) there is branch of T such that X fulfills 
all constraints at all nodes of this branch. Two cases arise: 

1. T is finite. Let oi, . . . , be the leaf nodes of T. Then [=qa Vl^i where 
P{ti) is an instance of P{x) such that valx(L’(L)) = 1 for all interpretations X that 
fulfill the constraint at . 

2. T is infinite. By Konig’s lemma, T has an infinite branch. This implies that there is 
an interpretation X such that valx(L’(L)) < 1 for every tuple L of terms of U{P). 
Now we use the following 

Claim. For every propositional formula P of and interpretation X such that 
valx(P) < 1, one can find an inferprefafion X'' such fhaf valxc(P) < c, for an 
arbitrary constant 0 < c < 1. 

The claim is easily proved by structural induction on P. It follows that there is 
an interpretation I' with valx'(3xP(a;)) < 1. This contradicts the assumption that 
|=qa 3xP{x). □ 

The following lemma establishes sufficient conditions for a logic to allow reverse 
Skolemization. By this we mean the re-introduction of quantifiers in Herbrand expan- 
sions. Here, by a logic C we mean a sef of formulas thaf is closed under modus ponens, 
generalization and substifulions (of bofh formulas and terms). We call a formula P 
valid in £ — and write: \=c P — if P G C. 

Lemma 6. Let C be a logic satisfying the following properties: 

1. \=ir QVP=y- P y Q (commutativity ofV) 

2. He {Q y P)y R He Q y {P y R) (associativity o/V) 

3. He Qy P y P He Q y P (idempotency o/V) 

4. HeP(H ^HeVx[PH)](*^) 

5. He Pit) => He 3xP(x) 




Herbrand’s Theorem for Prenex Gbdel Logic 



205 



6. \=c Vcc(P(x) V ^ (VxP(a:)) V 

7. \=c 3x{P{x) V ^ \=c {3xP{x)) V 

Let 3xP^{x) be the Skolem form of Qiyi . . . QnVnPiyi, ■ ■ ■ , yn)- For all tuples of 
terms ti, . . . ,tm of the Herbrand universe of P^{x) 

m 

V ^ H/: Qiyi • ■ • QnynP{yi, • • • ,yn)- 

i^l 

Proof To re-introduce quantifiers we proceed as follows. Every instance of a Skolem 
term s = f{t'i, . . . , t'f) in V™ i P^ifi) is replaced by a new variable Xg - We denote the 
resulting formula by Vti P^ {ti)Y /xi] - Let Vsk be the set of such new variables. We 
define Xg < Xt iff either s is a subterm of f or s = /(fi, ... , fo) and t = g{t'i, . . . , t'f) 
and a < b. 

Starting with the innermost quantifier occurrence Q„ we re-introduce all quantifiers 
in k steps from k = n down to fc = 1. We use to denote the result of applying 

the substitutions from step n down to fc -f 1 to the disjunct P^ /w^] and prefixing 
it with Qk+iyk+i ■ ■ ■ Qnyn- trik is the number of disjuncts remaining before step k is 
applied. 

If Qkyk = 3yk'. Re-substitute y^ for the variable Zg € Vsk that occurs in QPj^^ at the 
positions where s has replaced yk in P^{tj). By hypothesis 5 we obtain 

i=j—l i=mk 

^c3yk{ V VQPf^PVz] V V 

i=l i=j 

By hypotheses 1, 2, and 7 one has 

i=j — l i=nik 

hc( V QP-'"^v^ykQpf[y^/z]y V 

i=l i=j 

This is repeated for all rrik disjuncts until 3yk is re-introduced everywhere. 

If Qfci/fe = Vyk- First eliminate redundant copies of identical disjuncts. This can be 
done by hypotheses 1, 2 and 3. Observe that, by the special form of Skolem 
terms, any maximal variable Zg G Vsk can now occur only in a single disjunct 
QPj . Analogously to the case above, we can apply hypotheses 1, 2, 4 and 6 to 
re-introduce Qk and shift it to the appropriate disjunct to obtain: 

i=j — l i=mk 

h£( V VVyfcQPf)pV,]V V 

i=l i=j 

This is repeated for all disjuncts until Vj/fc is re-introduced everywhere. 

Finally, \=c QiJ/i • • • QnynP{yi, ■ ■ ■ , Vn) follows from contracting identical disjuncts 
(i.e., applying hypotheses 1, 2, and 3). □ 

Corollary 7. Let3xP^{x) be the Skolemform o/ Qij/i . . . Q„y„P(yi, . . . , y„). For 
all tuples t\, . . .tm ofterms of the Herbrand universe of P^{x): 

^ ^ QlJ/l ■ ■ ■ Qn?/n-P(2/l) ■ ■ ■ : Vn)- 

i=l 
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Corollary 8. Let P be a quantifier free formula ofG^: 

|=qA 3xP (x) => Qi2/1 • ■ ■ QuUnPiUli ■ ■ ■ ! Un)- 

Proof 

|=qa 3xP^{x) 

=> Vr=i appropriate ti,. . . ,tm by LemmaEl 

^ ^qa Qiyi . . , j/„) by Corollary [7] □ 

Proposition 9. For all formulas P and Q o/G^ 

1. ^(jA P |=qA AP 

2. |=(jA A(PV Q) |=qa (AP V AQ). 

Theorem 10. Let P be a quantifier-free formula o/G^ ant/ Qi G {V, 3} 

Hg^ Qi2/1 • • • QuUnPiyii ■ ■ ■ J Un) 

fi' and only if there exist tuples ti, . . .tm of terms of the Herbrand universe of3xP(x), 
such that m 

Hg^ V ^P^it^)- 

i=l 

Proof 



K) 


^G^ Ql//l ■ ■ ■ GnUnPiyi^ • ■ • 


,yn) 




=> Hg- 3yp^(2/) 


by LemmaQ] 






by Lemma[3 




^Hg- HyT=iP^m 


by Proposition|9]l 




^ V™1 ^P^{ti) 


by Proposition[5]2 


(^) 


he- v:iiAP^(G 
^Hg- ^{\jT=iP^m 


by Proposition 12 2 




^Hg- yZiP^(Pi) 


by Proposition Ell 




Qi2/1 ■ ■ ■ QnynP{yii 


■ ■■,yn) by Corollary [7] □ 



Remark 11. For Goo (without A), an alternative proof of Herbrand’s theorem can be 
obtained using the analytic calculus HIF (“Hypersequent calculus for Intuitionistic Fuzzy 
logic”) introduced in un]. 

Corollary 12. Let P be a quantifier-free formula of 

Qiyi ■ ■ ■ ^nUnPiyi-) ■ ■ ■ 1 Vn) QlZ/l • ■ • QuUn ^ P{yit • ■ ■ J Un)- 

Proof 

Hg^ Qi2/1 ■ ■ • QuUnPiVlj ■ ■ ■ 1 Vn) 

4^ |=gA ViHi ^P^(fi) for appropriate /i . . . by TheoremITOI 

|=G* Qi//i ■ ■ ■ ^ by Corollary Hand LemmaE] □ 
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4 A Chain Normal Form for Prenex 

We define a normal form for formulas P of prenex , that is based on the fact that 
the truth-value of P under a given interpretation only depends on the ordering of the 
respective values of atoms occurring in P. We exploit the fact that the corresponding 
order relation is expressible in G^. (This is not true for Goo-) More formally, we use 

P < Q as an abbreviation for -■ A (Q D P), and 
P =A Q as an abbreviation for A(P D Q) A A(Q D P). 

These formulas express strict linear order and equality, respectively, in the following 
sense. For every interpretation I of G^ one has 

vali(P < g) iff vali(P) < vali(g), and 
vali(P =A Q) iff vali(P) = vali(g). 

Definition 13. Let P be a quantifier-free formula of and Ai, . . . , An the atoms 
occurring in P except A and T. A A-chain over P is any formula of the form 

(A Mq a (A^(i) Ni A^(2)) a • • • a (A^(„_i) Ixi„-i A^(„)) A XI„ T) 

where tt is a permutation of {1, , n}, Nj is either < or =a, and at least one of the 
ixij ’s stands for <. 

Every A-chain describes a possible ordering of the values of atoms of P. By ^{P) 
we denote the set of all A-chains over P. For any C G ^{P), we define 

rp.c drf / T ifvali(P) = 1 
^ ^ \ A ifvali(P) < 1 

for all interpretations I that satisfy the ordering conditions expressed by C. Observe 
that {P}^ is always defined. 

Proposition 14. For all quantifier free formulas P, Q and F o/G^ 

Hg* p ^ Q ^ ^ P[Q]^ 

where F[Q\ denotes the formula arising from F[P] by replacing some occurrences of 
the subformula P by Q. 

Lemma 15. For every quantifier free formula P and A-chain C € ^(P) 

he- Cd(APo{P}<^). 

Proof. By induction on the structure of P using the following tautologies of G^ : 



(P< 


Q) 


A A((PDg)oT) 


(Q<P) 


A 


A((PAg)og) 


(P 


Q) 


A A((PAg)oT) 


iP<Q) 


A 


A((p V g) -4A g) 


(Q< 


P) 


A A((PVQ)oP) 


(Q =A P) 


A 


A((Pvg)oP) 


(P< 


Q) 


A A((PAQ)oP) 


iQ<P) 


A 


A((p A g) -o- g) 


{Q =A 


P) 


A A((PAQ)oP) 


(P<T) 


A 


A(APo A) 


(P=A 


T) 


A A(APo T) 










X A(Pog) A (APo 


Ag) together with 


1 PropositionlT4l 
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Lemma 16. For every quantifier free formula P and C G ^{P) 

(CA AP) o (CA {A}^). 

Proof It is easy to check that ^ ^^2) A (Pi D (P2 O P3)) D (Pi A P3). 

We instantiate the above formula hy setting Pi = C, P2 = AP and P3 = {P}^. By 
using LemmafTSlwe obtain (CA AP) D (CA {P}*^). The converse implication 
follows analogously. □ 



Theorem 17. For every quantifier free formula P there exists P(P) Q such that 

he- AP o V ^ 

cer(p) 

Proof. First note that |=qa \/c€i{P) Therefore we have 

ho- AP o [( V A AP], 

CG€(P) 

By moving AP into the disjunction and using Lemma fTCl one obtains 

hcA AP o[ V (CA {P}^] 

cg?(A 

The claim follows by Proposition! 14| since for every C S C(T’)) we have either 
(C A {P}^) O (C A T) or ^g^ A {P}^) O (C A A). □ 



Remark 18 . A related normal form has been introduced for propositional Gddel logic 
without A in HD- There, the total order of the truth values is expressed using the 
formulas A ^ B and A < B, where the latter abbreviates {A Z) B) A {{B Z) A) D A). 

As a corollary to this normal form theorem and Herbrand’s theorem (Theorem ITOb 
we obtain: 

Corollary 19. Let P be a quantifier-free formula o/G^. There exist tuples of terms 
fi, . . . fin of the Herbrand universe of P, 

n 

QlVl • ■ • QuUnPiyit • ■ ■ 1 Vn) V V 

i=i cer(P^) 

where C[*‘/yj-] is the chain obtained by substituting tiforyi. 
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5 Translation into Order Clauses 

The chain normal form for prenex formulas P of , introduced in SectionHabove, can 
be used to reduce the validity problem for P into the problem of detecting unsatisfiability 
of a corresponding set of “order clauses” with respect to the (classical) theory of dense 
total orders with endpoints 0 and 1 . However, the computation of the chain normal form 
is quite inefficient in general. Therefore we use properties of A to introduce also a 
“definitional normal form”, similar to the one for classical or intuitionistic logic (see, 
e.g., Q). 

Definition 20. For any formula F of form F\ o F 2 , where o g {A, V, d}, let 

df(P) =A {PF^{X1) o pp^{^))\ 

where pf^pf^Pf^ new predicate symbols and x, xi, X 2 tire the tuples of variables 
occurring in F, Fi, F 2 , respectively. If F is of form APi then 

df(P) [pf{x) =a ApFi(^)]- 

If F is atomic then pf{x) is used as an alternative denotation for F(x). 

For any quantifier free formula P the definitional normal form is defined as 

DEF(P) ‘'=1' [( f\ df(F)) D App(3J)] 

FGnasf(P) 



where nasf(P) denotes the set of all non-atomic subformulas of P, x is the tuple of 
variables occurring in P, and pp is a new predicate symbol. 



Remark 21. Certain optimizations, using tautologies of G^, will lead to shorter defi- 
nitional normal forms in general. However, in any case the logical complexity (i.e. the 
number of connectives) of DEF(P) is linear in the logical complexity of P. 

Lemma 22. For all quantifier free formulas P ofG^: 

|=qa 3xP{x) |=qa 3a;DEF(P(a;)). 

Proof. By Corollary [T^ A 3xP{x) iff |=qa 3x a P{x). For every interpretation 

I: valx(A =A B) = 1 if valx(A) = valx(B) and valx(A =a B) = 0, otherwise. 
Consequently, the proof proceeds exactly as in the case for classical logic (see Il2416in . 
I.e., for all non-atomic quantifier free formulas F{x), one can show by induction on the 
complexity of F that valx(df(F(x))) = 1 iff va\x{F(x)) — walx{pF(x)). □ 

We translate prenex G^ -formulas into sets of clauses of the following form. 

Definition 23. Let the sign <l stands for either < or <. An inequality is an expression 
of form s <\t, where s,t G T(F, X), i.e., the set of all terms over function symbols F 
(including constants) and variables X. An (order) clause is a finite set of inequalities. 
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Definition 24. By a dense total order O we mean a (classical) interpretation of the 
signature <, <, and F, where < is interpreted as strict and dense total (linear) order 
over the elements assigned toT(F,X) and < is interpreted as the reflexive closure of<. 
If also the endpoint axioms < x), flx(x < 1), and 0 < 1 are satisfied we call O a 

DTOE-model. A set of order clauses S is DTOE-satisfiable if S has a dense total order 
with endpoints 0 and 1, respectively, as model. 

In the following we also allow equalities s = t to occur in clauses. However, a 
clause of form {s = f} U C is considered here as an abbreviation for the two clauses 
{s < f} U C and {f < s} U C. 

Remark 25. In implementing the proof procedure, equalities can and should be han- 
dled more efficiently than indicated above. In particular, combinations of chaining and 
superposition along the line of 01311411 should be applied. 

Definition 26. We define sets of clauses that correspond to the various forms of 
formulas of type di(F): 

cl(A =A (B A C)) {{A < B}, {A < C}, {A = B,A = C}} 

cl(yl =A {B V C)) {{B < A}, {C < A}, {A = B,A = C}} 

cl(^=A {BdC)) = {{1<A,A = C}, {B <C,A = C}, {1< A,C < B}} 

cl( 2 l =A AB) {{A <1,1<B},{B<1,1< A}} 

where A, B and C are atoms, considered as terms. 

The clause form for formulas 3xP{x) is given by 

GF<^(3xP(x)) =' {{pp(x) < 1}} U U cl(df(F)) 

F'Gnasf(P) 

To define the alternative clause normal form CF'^(3a;P(a;)) based on chains, let 
[A < B]* {B < A} and [A =a B]* {A<B,B < A}. 

CF^(3xP(x)) {{ U [A>^,B]*}\Cg P(P)} 

At^iBinC 

where P(P) is the subset of^(P) given by Theorem M A 

Lemma 27. For every interpretation X there is a DTOE-model Ox, such that for all 
non-atomic F: valx(df(F)) = 1 iff Ox satisfies cl(df(F)); and vice versa. 

Proof. We only present the case for F =\A =a {B A C)]. The other cases are similar. 
We have; 

valx(A =A (B A C)) = 1 O valx(A) = min{valx(i?), valx(C)} 

O valx(A) < valx(B) and valx(^) < valx(C) and 
(valx(A) = valx(B) or valx(A) = valx(C')) 

Therefore I induces an DTOE-model Ox satisfying the order clauses 

{A < B}, {A < C}, and {A^B,A = C}. 



Conversely, every DTOE-model for this clause set induces an interpretation that evalu- 
ates A =A {B A C) to 1. □ 
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Theorem 28. Any prenex formula Qiyi . . . QnynP{yi, ■ ■ • , yn) ofG^ is valid if and 
only ifC¥'^{3xP^{x)) is DTO^-unsatisfiable. 

Proof. By Lemma0and Corollary |F] we have: Qi2/i • ■ • QnVnPiyi, ■ ■ ■ , yn) iff 

^qa 3xP^(x). Bv Lemmal22lwe have: |=gA 3xP^{x) iff |=qa 3a;DEF(P^(x)). 
Since the conclusion as well as the conjuncts in the premise of DEF (P^ (a:) ) are prefixed 
by A, those subformulas behave like in classical logic. Hence the validity problem can 
be dualized; i.e., 3a;DEF(P^(x)) is valid iff 

\/x~'App{x)A y/y df(P) 

FGnasf(P) 



is unsatisfiable. By Lemma IT71 the latter is equivalent to the DTOE-unsatisfiability of 
CFd(3TP^(x)). □ 



Remark 29. By similar arguments ThenremlTRlalso holds for CF'^(3a;P^(x)). 

6 Using an Ordered Chaining Calculus 

In the previous sections, we have reduced the validity problem for prenex to checking 

DTOE-unsatisfiability of certain sets of order clauses. Fortunately, efficient theorem 
proving for (various types of) order clauses has already received considerable attention 
in the literature; see rroi (and the references given there). 

Some familiarity with basic notions from automated deduction, in particular the 
concept of a most general unifier ( mgu ) of two or more terms, is assumed in the following 
(see, e.g., 12^ .) We will identify a substitution a with a set {xi ti, . . . ,Xn A- f„} 
and define codom{a) = {A, . . . fin}- 

We consider fhe following rules (cf. ITSl ) for order clauses: 

Irreflexivity Resolution: 

C U {s < f} 

CV 



where cr is the mgu of s and t 

(Factorized) Chaining: 



C U <ll Sl, . . . , Ujyi Stti} D U <1]^ Ui , . . . , A ^n ^n} 

Ca U Da U {uia <iij VjU | 1 < i < m, 1 < n} 

where a is the mgu of si, . . . , Smfii, ■ ■ ■ fin and <Jij is < if and only if either <\i 
is < or o' is <. Moreover, Da occurs in Da only in inequalities v O Act. 

These two rules constitute a refutationally complete inference system for the theory of 
all total orders in presence of set £q^ of clauses 



{xi <yi,yi<Xi\l<i<n)\J {f{xi , . . . , x„) < f{yi, ... , yn)} 



212 



M. Baaz, A. Ciabattoni, and C.G. Fermiiller 



where / ranges the set F of function symbols of the signature. Observe that, in trans- 
lating a formula P from prenex into a set of order clauses CF'^(P), we treat the 
predicate symbols of P as function symbols. Additional function symbols occur from 
Skolemization. 

The inference system is not yet sufficiently restrictive for efficient proof search. We 
follow d and add conditions to the rules that refer to some complete reduction order 
(on the set of all terms). We write s ^ f if -i(s t) and s ^ t\ and “f is basic in 
(clause) C” if t <i s £ C or s <it £ C. 

Maximality Condition for Irreflexivity Resolution: sa is a maximal term in Ca. 
Maximality Condition for Chaining: (1) Uia ^ sicr for all 1 < i < n, (2) Via ^ tia 
for all 1 < i < TO, (3) ua s\u for all terms u that are basic in C, and (4) va tia 
for all terms v that are basic in D. 

For our purposes it is convenient to view the resulting inference system MC;^ as a set 
operator. 

Definition 30. MC^ {S) is the set of all conclusions of Irreflexivity Resolution or Max- 
imal Chaining where the premises are (variable renamed copies of) members of the set 
of clauses S. Moreover, MC° (5) = 5, = MC^(MC^5)) U MC^5), 

andMGl{S) = U,>oMC^5). 

The set consisting of the three clauses {0 < x}, {x < 1}, and {0 < 1}, correspond- 
ing to the endpoint axioms, is called Ep. The set consisting of {y < x, d{x, y) < y} and 
{y < x,x < d{x, y)}, corresponding to the usual density axiom, is called T>o. 

The following completeness theorem follows directly from Theorem 2 of IfTTI . 

Theorem 31. S has a dense total order with endpoints 0 and 1 as a model if and only 
ifMCy {S U £q^ U £pU T>o) does not contain the empty clause. 



Remark 32. Even more refined “chaining calculi” for handling orders have been defined 
by Bachmair and Ganzinger in I13I14I . However, MC^ turns out to be quite appropriate 
for our context. (In particular, since the problem of “variable chaining” does not occur 
for the sets of clauses considered here). 

7 The Monadic Prenex Fragment 

A formula is called monadic if all predicate symbols are monadic (unary) and no function 
symbols occur in it. 

To support the claim that MC^ provides an efficient proof system for prenex G^, 
we conclude by investigating the special case of monadic formulas. 

To appreciate the importance of this fragment, remember that monadic predicates 
are interpreted as fuzzy sets. We will show that MG;^ allows to prevent the nesting of 
function symbols (beyond the level of the input set) in clauses derivable from chain-based 
clause normal forms of the Skolem form of a prenex and monadic formula. 

To characterize the syntactic restrictions obeyed by clauses arising from translating 
prenex monadic formulas we need some additional notation. 
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From now on we assume that the set of function symbols F consists in the disjoint 
union S U P U {0, 1} U {d}, where S are the function symbols and constants arising 
from Skolemizing the original formula P, and P is the set of monadic predicate symbols 
occurring in P. We will distinguish the different types of function symbols syntactically 
by using lower case letters for symbols in S and upper case letters for symbols in P. 
Moreover, we assume the set of variables X to be stratified in the following sense: X 
is the disjoint union 1+Jj^<j<p Xi, where each Xi is inhnite and p is the maximal arity of 
function symbols in F. 

Definition 33. We call a term simple if it is either a variable or a constant or of form 
f{xi , . . . , Xn) where Xi G Xifor 1 < i < n. {We call terms of the latter type stratified.) 
A term is called atom-like if it is of form P{s), where P is a monadic function symbol 
and s is a simple term. 

An inequality t\ <l t 2 is called monadic if tife either simple or atom-like. A 
clause is called monadic if all its inequalities are monadic. Finally, a set of clauses is 
called monadic if all its clauses are monadic. 



Proposition 34. Let Qiyi . . . Qnj/nP(yi, ■ • ■ , Un) be a monadic and prenex formula 
o/G^. Then CF^{3xP^) is monadic. Moreover, Eq^ , £p, and T>o are monadic too, up 
to renaming of variables. 

To obtain the closure of the class of monadic sets of clauses with respect to MC^, 
we have to choose the reduction order appropriately. From now on we assume that 
fulfills all of the following, where x G X and P,Q gP: 

(a) f a: if a; is a proper subterm of t, and 

(b) t >- P{x) if f is a simple term containing a; as a proper subterm. 

(c) Q{t) >- P{x) if t is simple term containing a: as a proper subterm. 

It is easy to check that these conditions are fulfilled if is a lexicographic path order 
based on a strict order >p of the signature where f >p p whenever f G S and p G P. 
(See, e.g., d.) 

Lemma 35. IfS is monadic then MC;^(5) is monadic too. 

Proof. Consider irreflexivity resolution: i.e., Ca where a is the mgu of s and t in the 
monadic clause C U {s < t}. 

(1) If codom{a) contains only variables (or a is the empty substitution) then the only 
condition on monadicity that is not already obviously fulfilled by Ccr is that that all 
terms of form f{xi, . . . , Xn) occurring in Ca are stratified. We have to check the 
following cases 

(1.1) s and t are variables: By the maximality condition, no term of form 
f{xi, . . . ,Xn) in C can contain s or f as a subterm. Therefore such terms 
remain unchanged and, in particular, stratified. 

(1.2) s = f{xi,... ,Xn) and t = f{yi,... ,?/„). Since x, G X, and yi G Vi, 
stratification is preserved in Ca. 

(1.3) s = P{f{xi, . . . ,Xn)) andf = P(/(yi, . . . ,y„)). Like case (1.2). 
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(1.4) s = P{x) and t = P{y)', a = {x ^ y} or a = {y ^ a;}. By the maximality 
condition and conditions (b) and (c) no term of form f{x\, . . . , Xn) in C can 
contain a; or y as a subterm. Therefore such terms remain stratified. 

(2) Otherwise, since s < f is monadic, cr is of form {a: t— r} for some term r that is 
either simple or atom-like, but not a variable. Without loss of generality, we assume 
that X occurs in s (but not in t). Since r is not a variable, there are only the following 
two cases: 

(2.1) s = X and f = r: By the maximality condition and condition (i) for )^, x cannot 
be a proper subterm of a term in C. I.e., x is basic in C, if it occurs in C at all. 
Therefore Ca is monadic. 

(2.2) s = P{x) and t = P{r) for some P £ P: By the maximality condition and 
conditions (b) and (c) for we have: if x occurs in C, then x is basic in C or x 
occurs in an atom-like term of form P(x) in C. In both cases Ca is monadic. 

The case for chaining is analogous. E.g., consider m = n = 1: E = Ca U Da U 
{ua <* va}, where a is mgu of s and t in the monadic clauses C U {u <1 s} and 
D U {t <i u}. Again, if codom{a) consists of variables only then E is monadic, too, 
by the same arguments as in (1), above. Otherwise the same case distinction as for (2), 
above, and analogous arguments apply. □ 

Lemma [35l implies a bound on the depth of terms that occur in clauses derivable 
from monadic sets of clauses. This leaves open the question whether also the length of 
clauses (i.e., number of inequalities) can be bounded. However, this would contradict 
the following undecidability result. (We adapt a proof of Gabbay HT91 for the monadic 
— but not prenex — fragment of Goo.) 

Theorem 36. Validity of prenex monadic formulas o/G^ is undecidable. 

Proof. In [|25l it has been shown that the classical theory CE of two equivalence relations 
is undecidable. We faithfully interpret CE in the prenex monadic fragment of G^. In 
fact, already validity (and therefore also satisfiability) of a formula S' of CE of form 

Q\X\ . . . Xj = yj £) ti/j; = Ufc) 

j k 

is undecidable, where each occurrence of = can be either =i or = 2 . Letpi andp 2 be two 

def 

monadic predicate symbols. We define [x =i y]* = A{pi{x) £4 Pi{y)), for i = 1,2. 
Let S* be the formula arising from S by replacing all subformulas x =i yhy \x =i y\* . 

WeshowthatShasaCE-modelAf = (P; = 1 ^, = 2 ^) if and only if valx(S*) = 1 
for some G^ -interpretation X. Without loss of generalization we will assume that the 
domain of M. to be countable. 

(^) Note that each of two equivalence relations =i-^ (i = 1, 2) of the CE-model 
induces a partition of its domain [0, 1] into equivalence classes Ef = {x I x=i^yj}, 
where yj is an element of the domain D of Ai and j is some index taken from a set J. 
Without loss of generality will assume that the index set J is the real unit interval [0,1]. 
(An equivalence class may have many different indices.) We define I = {D, valx) by 
setting (for i = 1,2) valx(pi)(ci) = j iff d G Ef.By straightforward induction on the 
complexity of S it follows that valx(S'*) = 1 iff Af a CE-model S. 
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(<;=) Given a -interpretation X = (D, valx) for S* we define the CE-model Af 
for S by taking D as its domain and setting x=i^y iff valx(pi)(x) = valx(pi)(y) for 
x,y G D, i = 1,2. □ 
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Abstract. Unification of concept descriptions was introduced by Baader 
and Narendran as a tool for detecting redundancies in knowledge bases. 
It was shown that unification in the small description logic T which 
allows for conjunction, value restriction, and the top concept only, is al- 
ready ExpTime-complete. The present paper shows that the complexity 
does not increase if one additionally allows for composition, union, and 
transitive closure of roles. It also shows that matching (which is poly- 
nomial in J-Cq) is PSpace-complete in the extended description logic. 
These results are proved via a reduction to linear equations over regular 
languages, which are then solved using automata. The obtained results 
are also of interest in formal language theory. 



1 Introduction 

Knowledge representation languages based on Description Logics (DL) can be 
used to represent the terminological knowledge of an application domain in a 
structured and formally well-understood way una. With the help of these lan- 
guages, the important notions of the domain can be described by concept descrip- 
tions, i.e., expressions that are built from atomic concepts (unary predicates) 
and atomic roles (binary predicates) using the concept and role constructors pro- 
vided by the DL language. Atomic concepts and concept descriptions represent 
sets of individuals, whereas roles and role descriptions represent binary relations 
between individuals. 

Unification of concept descriptions was introduced by Baader and Naren- 
dran [Sj as a new inference service for detecting and avoiding redundancies in 
DL knowledge bases. Unification considers concept patterns, i.e., concept de- 
scriptions with variables, and tries to make these descriptions equivalent by re- 
placing the variables by appropriate concept descriptions. The technical results 
in [8] were concerned with unification in the small DL TCq, which allows for 
conjunction of concepts (C □ D), value restriction (Vi?.C), and the top concept 
(T). It is shown that unification of .7^£o“Concept descriptions is equivalent to 
solving systems of linear equations over finite languages, and that this problem 
is ExpTime-complete. 

In the present paper, we study unification in TLreg, the DL that extends 
TCq by the role constructors identity role (e), empty role (0), union (i? U S), 
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composition (RoS), and reflexive-transitive closure (i?*)0Uniflcation of TCreg- 
concept descriptions is again equivalent to solving systems of linear language 
equations, but the finite languages are now replaced by regular languages. The 
first contribution of the present paper is to show that deciding the solvability 
of such equations is, as in the finite case, ExpTime-complete. At first sight one 
might think that it is sufficient to show that the problem is in ExpTime, since 
ExpTime-hardness already holds for the “simpler” case of unification in TCq. 
However, unification in TCreg is not a priori at least as hard as unification 
in since the set of potential solutions increases. Thus, an J^£o“Unification 
problem (which can also be viewed as an .F£reg-unification problem) may be 
solvable in THreg-, but not in TC.^. (We will see such an example later on.) 

Our complexity results are by reduction to/from decision problems for tree- 
automata. Whereas for equations over finite languages automata on finite trees 
could be used, we now consider automata working on infinite trees. As a by- 
product of the reduction to tree automata, we also show that, if a system of 
linear equations has some (possibly irregular) solution, then it also has a regular 
one. That is, restricting solutions to substitutions that map variables to regular 
languages does not make a difference in terms of the solvability of an equation. 

Equations over regular languages have already been considered by Leiss [T^ 
E]. However, he does not provide any decidability or complexity results for the 
case we are interested in. Closely related to the problem of solving linear language 
equations is the problem of solving set constraints p], i.e., relations between sets 
of terms. Set constraints are usually more general than the kind of equations 
we are dealing with here. The case we consider here corresponds most closely 
to positive set constraints for terms over unary and nullary function symbols 
where only union of sets is allowed. For solvability of positive set constraints 
over (at least two) unary and (at least one) nullary function symbols, ExpTime- 
completeness is shown in pp. However, this result does not directly imply the 
corresponding result for our case. On the one hand, for set constraints one con- 
siders equations with finite languages as coefficients, whereas we allow for regular 
languages as coefficients. It is, however, easy to see that regular coefficients can 
be expressed using set constraints. On the other hand, for set constraints one 
allows for arbitrary (possibly) infinite solutions, whereas we restrict the atten- 
tion to regular solutions. Using the (new) result that the restriction to regular 
sets does not change the solvability of an equation, our exponential upper bound 
also follows from the complexity result in [T]. The hardness result in [T| does not 
directly carry over since even positive set constraints allow for more complex 
types of equations than the linear ones considered here. 

Matching is a special case of unification where only one of the patterns con- 
tains variables. In ||S] it was shown that matching in T Lq is polynomial, and in 
jZ] this result was extended to the more expressive DL ACAf . We will show that 
matching in TCreg is P Space-complete. 

In case a unification/matching problem is solvable, one is usually interested 
in obtaining an actual solution. In the context of matching in description logics, 

^ Transitive closure then corresponds to the expression Ro R* . 
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Table 1. Syntax and semantics of concept descriptions. 



Syntax 


Semantics 


XCo 


XCreg 


T 


A’ 


X 


X 


cnD 


DD^ 


X 


X 


yR.c 


{x £ A^ \ \/y. {x, y) € R^ ^ y € C^} 


X 


X 


e 


{{x,x) 1 X G A^} 




X 


0 


0 




X 


RoS 


{fy, 2 ) 1 3i/ : [x, y) € R^ A {y, z) G S^} 




X 


R* 






X 



it has been argued m that not all solutions of a matching problem are of 
interest to a user. Therefore, one must look for solutions with certain desired 
properties; for instance, least solutions where all variables are substituted by 
concept descriptions that are as specific as possible turned out to be appropriate 
in some contexts m. For matching in and T dreg ^ solvable problems 

always have a least solution. For unification, we will show that this is only true 
for . 

2 Unification in Creg 

Let us first introduce TCq- and iF£reg-concept descriptions. Starting from the 
finite and disjoint sets Nc of concept names and N^i of role names, .7^£o“Concept 
descriptions are built using the concept constructors conjunction (Cfl D), value 
restriction (Vr.C), and the top concept (T). TCreg extends TCq by additionally 
allowing for the role constructors identity role (e), empty role (0), union (i?US'), 
composition {Ro S), and reflexive-transitive closure (i?*). As an example, con- 
sider the R£reg-concept description Woman □ Vchild* .Woman, which represents 
the set of all women with only female offspring. 

Role names will be denoted by lower case letters (r, s, . . . G Ab?), and complex 
roles by upper case letters {R, S,T . . .). Note that a complex role can be viewed 
as a regular expression over where e is taken as the empty word, role names 
as elements of the alphabet, the empty role as the empty language, union as 
union of languages, composition as concatenation, and reflexive-transitive clo- 
sure as Kleene star. Therefore, we sometimes view a complex role i? as a regular 
expression. In the following, we will abuse notation by identifying regular ex- 
pressions with the languages they describe. In particular, if R and R' are regular 
expressions, then R= R' will mean that the corresponding languages are equal. 

As usual, the semantics of concept and role descriptions is defined in terms of 
an interpretation X = (A^, A). The domain of I is a non-empty set and the 
interpretation function X maps each concept name A G Nq to a set C A^ 
and each role name r G to a binary relation C A^xA^ . The extension of 
to arbitrary concept and role descriptions is defined inductively, as shown in the 
second column of Table [T] The interested reader may note that J- Creg-concept 
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descriptions can also be viewed as concepts defined by cyclic ^£o-TBoxes in- 
terpreted with the greatest fixed-point semantics |2]. The concept description D 
subsumes the description C {C Q D) iff C for all interpretations I. Two 
concept descriptions C, D are equivalent {C = D) iff they subsume each other. 

In order to define unification of concept descriptions, we first have to in- 
troduce the notions concept patterns and substitutions operating on concept 
patters. To this purpose, we need a set of concept variables Nx (disjoint from 
Nc U Nn). if Creg- concept patterns are if Creg-concept descriptions defined over 
the set Nc U Nx of concept names and the set Nj^ of role names. For example, 
given A G Nc, X G Nx, and r G N^, 'ir.An'ir* .X is an T Creg-concepi pattern. 

A substitution cr is a mapping from Nx into the set of all J- Creg-concept 
descriptions. This mapping is extended from variables to concept patterns in 
the obvious way, i.e., 

— cr(T) := T and cr(A) := A for all A G Nc, 

- a{C n D) := a{C) n a{D) and a{WR.C) := Vi?.a(C). 

Definition 1. An .7^£reg-unification problem is of the form C D, where C , 
D are J- Creg-concept patterns. The substitution a is a unifier of this problem iff 
(j{C) = <j{D). In this case, the unification problem is solvable, and C and D are 
called unifiable. 

For example, the substitution a = {X i— >• Vr o r*.A, Y i— >■ Mr. A] is a unifier of 
the unification problem 

Vs.Vr.A n Vr.A n Vr.X =’ X n Vs.y. (1) 

Note that this problem can also be viewed as an .7^£o“Unification problem. How- 
ever, in this case it does not have a solution since there are no .7^£o“Concept 
descriptions that, when substituted for X and Y, make the two concept pat- 
terns equivalent. 

For readers interested in unification theory, let us point out that (just as for 
ACo IS]), unification in TCreg can be viewed as unification modulo an appro- 
priate equational theory, and that (like the theory corresponding to TCq) this 
theory is of unification type zero. 

3 Reduction to Regular Language Equations 

We now show how unification in TCreg can be reduced to solving linear equations 
over regular languages built using the alphabet Nr of role names. 

The equations we are interested in are built as follows. Let 17 be a finite 
alphabet. For languages L,M C S* , their concatenation is defined by LM := 
{vw \ V G L,w G M}. Let Xi,...,X„ be variables. Given regular languages 
So,Si,...,Sn,To,Ti,...,T,E over Nr, a linear equation over regular languages 

^ We assume that these languages are given by regular expressions or nondeterministic 
finite automata. 
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is of the form 



So U U • • • U = To U TiXi U • • • U (2) 



A (regular, finite) solution 9 of this equation is a substitution assigning to each 
variable a (regular, finite) language over S such that the equation holds. We 
are particularly interested in regular solutions since these can be turned into 
J- Creg-concept descriptions. 

A system of regular language equations is a finite set of regular language 
equations. A substitution 9 solves such a system if it solves every equation in it 
simultaneously. A system of equations can easily (in linear time) be turned into 
a single equation with the same set of solutions by concatenating all constant 
languages in an equation with a role r (a new role for every equation), i.e., the 
languages Si and Ti are replaced by and {r}Ti. Then the different equa- 

tions can be put together into a single equation without causing any interference 
(see [H] for details). Hence, for our complexity analysis we can focus on single 
equations. 

To establish the reduction from unification in TC^-eg to solvability of linear 
equations over regular languages, lF£reg-concept patterns are written in the 
following normal form: 



n Vi?A-An 

AeNc 



n 

xeNx 



VRx.X, 



where Ra and Rx are regular expressions over N^. Every concept pattern can 
(in polynomial time) be turned into such a normal form by exhaustively applying 
the following equivalence preserving rule: Vi?.Cn Vi?'.C — >■ V(i?Ui?').C, where 
R, R' are regular expressions over Nr and C is some T Lreg-concept pattern. 
Correctness of our reduction from unification to solvability of linear equations 
depends on the following (easily provable [2|8] ) characterization of equivalence: 

Lemma 1. Let C,D be iFCreg- concept descriptions such that 
C= n WSa-A and D= □ VTa.A. 

AeNc AeNc 



Then C = D iff Sa = Ta for all A G Nc- 

As an easy consequence, we obtain the following theorem, which shows that 
unification in TCreg is equivalent via linear time reductions to solving regular 
language equations. 

Theorem 1. Let C,D be iFCreg-concept patterns such that 

C= n VS’a.AH n VSx.X and D= □ VT^-An □ VTx-X. 

AeNc xeNx AeNc xeNx 



Then C, D are unifiable iff, for all A G Nc, the regular language equation 
Ec,d{A) below has a solution: 



IJ SxXa = TaU U TxXa 
xeNx xeNx 
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Note that the language equations in this system do not share variables, and thus 
they can be solved separately. In the equation Ec,d(A), the variable Xa is a 
new copy of X S Nx- Different equations have different copies. 

Continuing our example, from the unification problem m we obtain the 
following language equation (assuming Nc = {^}): 

{r, sr} U {t}Xa = {s}Xa U {s}Ya 

A solution of this equation is Xa = rr* and Ya = r, which corresponds to the 
solution a of O- 

4 The Decision Problem 

The first theorem of this paper gives the exact complexity of solving systems of 
linear equations over regular languages. 

Theorem 2. Deciding (regular) solvability of (systems of) equations of the form 
(dj) is an Exp Time- complete problem. 

As an immediate consequence, unification in TCreg is ExpTime-complete as well. 



The upper complexity bound. To prove that the problem can be solved in 
ExpTime, it suffices to concentrate on a single equation. Moreover, instead of © 
we consider equations where the variables occur in front of the coefficients. Such 
an equation can easily be obtained from m by considering the mirror images 
(or reverse) of the coefficient languages. That is, we go from a language L C 
to its mirror image L™* := {r^ ■ ■ ■ ri \ ri • • • S L}. The mirror equation of 
<m is of the form 

U AiS”™* U • • • U XnSff^ = To™* U XiT™* U • • • U (3) 

Obviously, the mirror images of solutions of m are exactly the solutions of 0. 

To test (0 for solvability, we build a looping tree-automaton B, i.e., a Btichi 
tree-automaton where all states are final. Let us briefly introduce infinite trees 
and looping tree-automata (see [T^ for details) . Let A be a finite alphabet and, 
w.l.o.g., Nji = {!,..., fc}. A E-labeled k-ary infinite tree t is a mapping from 
into E. (In particular, the nodes of t can be viewed as words over A^_r.) 
In case A is a singleton, t is called unlabeled. A looping tree- automaton A is a 
tuple (Q, A, I, A) where Q is the finite set of states of A, A is a finite alphabet, 
I C Q is the set of initial states, and A C Q x A x is the transition relation. 
(Note that we do not define final states. Also, we will omit A in case it is 
a singleton.) A run r of A on the tree t is a Q“labeled fc-ary tree such that 
{r{u),t{u),r{ul), . . . ,r{uk)) G A. It is called successful if r(e) £ I. The tree 
language accepted by A is L{A) := {t \ there exists a successful run of A on t}. 

Our looping tree-automaton B will work on the (unique) unlabeled k-axy 
infinite tree t (thus L{B) will be the empty set or {t}). The idea underlying 
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the construction is as follows. A Q-labeled /c-ary infinite tree r can be used to 
describe sets of words by taking those words u for which the label r{u) satisfies 
a certain property. In principle, a run of yB on t represents i) a set of words 
over Nfi obtained by instantiating the equation with one of its solutions (called 
solution sets in the following), and ii) the solution itself, i.e., the languages 
substituted for the variables. To achieve this, while working its way down t, in 
every step B guesses whether the current node (or more precisely the word it 
represents) a) belongs to the solution set, and b) to the language substituted for 
Xi {i = 1, ... ,n). In addition, B checks whether the guesses made actually yield 
a solution. 

Formally, B = {Q, I, A) is defined as follows. (We provide a more de- 
tailed explanation after the definition.) Let As,i = {Qs,i, NrjQs.i, As,i, Fs^i) 
and Ar,i = {Qt.i, NR,qT,i, AT^i,FT^i) be (nondeterministic) finite automata 
accepting the languages and T™ {i = 0,...,n), respectively. We assume 
(w.l.o.g.) that the set of states of these automata are pairwise disjoint. Let 
N := {0, 1 , ... , n}, Qs (Qt) be the union of the sets Qs,i (Qr.i), i = 0, . . . ,n, 
and Fs (Ft) be the union of the sets Fs,i (Fry). 

1. Q := 2^ X X 2<3^; 

2. I := {{G,L,R) \ G C N, L= {qs,o} U {qs,i \ iGG}, and 

R ■= {<Zt,o} U {qr.i \ * G G}; 

3. A consists of all tuples ((Go,Lo, Ro), (Gi,ii, i?i), . . . , (G^, Lk,Rk)) € Q x 

such that 

a) 0 G Go iff Lq n Fs yf 0 iff Rq H Ft yf 0; 

b) for alH = 1, . . . , fc, 

U ■■= suc(LoG) U {qs,j I j G GJ and Ri := suc(i?oG) U {qrj | j G GJ, 
where suc(Lo)*) •= {q I there exists q' and j with q' G Lq D Qs.j and 
(q',i,q) G Asj} and suc(i?oG) is defined analogously. 

Intuitively, B uses the first component of its states to guess whether a node (the 
word it represents) belongs to the solution set and/or to one of the variables Xi. 
That is, given a state (G, L, R), 0 G G means that the current node belongs to 
the solution set and i G G means that the node belongs to Xi (more accurately, 
to the language substituted for Xi). The other two components are used to do the 
book-keeping necessary to check whether the guesses actually yield a solution. 
To understand their role, assume that r is a run of B on t. W.l.o.g. we consider 
the second component. If r{u) = (G,L,R) and j G G, for some J yf 0, then u 
belongs to Xj, and thus uv belongs to XjS^'^ for all v G S'™*. Consequently, if 
r{uv) = {G',L',R'), then we must have 0 G G'. To enforce this, qsj (the initial 
state of the automaton As,j accepting S™*) is added to L. The transitions of B 
then simulate the transitions of Asj in the second component. Thus, in r(uv) 
the set L' contains a final state of Asj, and now (3a) implies that 0 G G' must 
hold. Conversely, if 0 G G', then L' must contain a final state of some of the 
automata As.i (z = 0, . . . , n). 

Given a successful run r of B, it is now easy to prove that the substitution 

Or'. 

9r{Xi) := {u I r(u) = (G,L,R) and i G G} 
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is a solution of Conversely, it is not hard to show that a given solution of 
m induces a successful run of B. 

Lemma 2. There is a one-to-one correspondence between solutions of ^ and 
successful runs of B. 

The lemma implies that equation ( 01 ) has a solution iff B has a successful run 
(i.e., L{B) ^ 0). The size of the set of states of B is exponential in the size 
of equation m, where the size of the regular sets S'™* and T™* are measured 
by the size of nondeterministic finite automata accepting these sets. Since the 
emptiness problem for Biichi tree-automata (and thus looping tree-automata) 
can be solved in polynomial time in the size of the automaton [15j (and actually 
in linear time for looping automata), this yields the desired exponential time 
algorithm for deciding the solvability of equation (( 31 ). However, the existence of 
a solution does not a priori imply that there is also a regular one. Thus, we must 
still show that regular solvability can also be decided in ExpTime. 

It is well-known [T^ that a Biichi-automaton has a successful run iff it has a 
regular (or rational) run. It is easy to show that the solution corresponding to a 
regular run is a regular solution. 

Proposition 1. If |3) has a solution, then it also has a regular one. 

This proposition also follows from our results in Section O 



The lower complexity bound. The hardness result can be shown similarly 
to the proof by Baader and Narendran [8] for systems of equations over finite 
languages. In their proof, the intersection emptiness problem for deterministic 
root-to-frontier automata on finite trees, which has been shown to be ExpTime- 
complete by Seidl m, is reduced to the solvability of systems of equations over 
finite languages. The intersection emptiness problem is defined as follows: given 
a sequence Ai, ■ . ■ , An of deterministic root-to-frontier automata over the same 
ranked alphabet S, decide whether there exists a tree t accepted by .4i, . . . ,An- 
Instead of deterministic root-to-frontier automata we will here use determin- 
istic looping tree-automata: a looping tree-automaton is deterministic if it has 
one initial state and, for every state q and symbol /, there exists at most one 
transition of the form (5 , /, . . .). We will show that Seidl’s result easily carries 
over to these automata. However, we need to consider looping tree-automata 
over infinite trees labeled by elements of a ranked alphabet. That is, the number 
of successors of a node varies depending on the arity of the label attached to the 
node. Modifying the definition of looping tree-automata to work on these trees 
is straightforward. 

Proposition 2. The intersection emptiness problem for looping tree-automata 
over a ranked alphabet is ExpTime-hard. 

This can be shown by reducing the intersection emptiness problem for root- 
to-frontier automata to the intersection emptiness problem for looping tree- 
automata. The main idea is to turn every finite tree t into an infinite tree t by 
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adding a new symbol ^ (say of rank 1 ) to the alphabet, and extending the finite 
tree at every leaf by attaching the infinite tree labeled by ^ only. A given root- 
to-frontier automaton A can then easily be modified to a looping tree-automaton 
B such that every successful run of A on t corresponds to a successful run of B 
on t and vice versa. 

It remains to show how the intersection emptiness problem for looping tree- 
automata can be reduced to the solvability of systems of linear equations over 
regular languages. In the following, let A be a ranked alphabet. Seidl’s result 
implies that it suffices to restrict the attention to symbols of rank 1 and 2 . 

We represent an infinite tree t over the ranked alphabet S by an infinite set 
S{t) of words over AUjl, 2}. This set contains one element for every node of the 
tree. Given a node u, the corresponding word describes the path from this node 
to the root of the tree by listing the labels of the nodes v on this path together 
with the information whether v is the first or second successor of its parent node. 
To be more precise, if t = f{ti,t 2 ) is the tree whose root is labeled with / and has 
the two successor trees ti and t 2 , then S{t) := {e} U {ulf \ u G S{ti)} U {u2f \ 
u G S'(t 2 )}- Accordingly, if < = g{t'), then S(t) := {e} U {ulg \ u G S{t')}. For 
example, if / is binary, g is unary, and t is the infinite tree labeled with g only, 
then S{f{t,t)) = {^1 U {lg)*lf U (lg)*2/. Given a node u in t we denote the 
word representing u in S{t) by w*{u). In the example, = lglg2f. 

Now, let A = {Q, S,qo, A) be a deterministic looping tree-automaton over 
the ranked alphabet S. We construct the following linear equation, where the 
variables g) range over (possibly infinite) sets of words over U' := S U Q U 
{ 1 , 2 }: 



U {9}^(g.s) = { 90 } u y {qilg,...,qkkg}X(^g^g), (4) 

(q,g)eSuc {q,g,qi,...,qk)eA 

where Sue denotes the set of tuples ( 9 , 5 ) for which there exist qi, . . . ,qk with 
{q,g,qi, . . . , qA) G A, and k denotes the rank of g. 

We want to show that solutions of @ induce accepting runs of A and vice 
versa. Assuming that dl has the solution 9, let us try to construct a tree t 
and a successful run of A on t. Since qo occurs on the right-hand side of g}, it 
must also occur on the left-hand side. Thus, there must exist a symbol g such 
that (qo^g) G Sue and e G 0{X(^qg g')). Intuitively, this corresponds to setting 
t{e) := g and r(e) := go- Now, since e G 0(X(g(, g)), additional words occur on 
the right-hand side of 0- Indeed, since (go,g) G Sue, there exist gi, . . . ,g^ with 
(go, g, gi, . . . , qk) G A. Thus, the words gilg, . . . , qkkg occur on the right-hand 
side. This corresponds to setting r(I) := gi, . . . ,r(fc) := qt- Let us look at gilg. 
This word must also occur on the left-hand side of O- Thus, there must exist 
a symbol / with (gi,/) G Sue and Ig G 0(A(gjj)). This corresponds to setting 
t(l) := /. Now, since Ig G 9{X(^g,^ f^), additional words occur on the right-hand 
side of and one continues just as in the case e G 9{X(^gq g^). This illustrates 
that, if m is solvable, then one can construct a tree t and an accepting run r of 
A on t. Moreover, it follows that S(t) C Ve := lj(q g)eSuc^i^iq,g))- 
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Conversely, if i G L{A) and r is the (unique) accepting run of A on t, then 
we can use r to construct a solution 9 of 6D such that S{t) = Vg-. 



Lemma 3. If 9 solves then there exists t S L{A) with S{t) C Vg. Con- 
versely, ift€ L{A), then there exists a solution 9 of 0) with S{t) = Vg. 

The inclusion in the first part of the lemma may be strict. In fact, by the second 
part, every tree in L{A) yields a solution of (0}. Since the solutions of such 
linear equations are closed under (argument-wise) union, there are solutions 9 
representing more than one accepted tree. Because of this fact, our reduction 
will depend on the following lemma. 

Lemma 4. Let 9 be a solution of and t a tree. If S{t) C Vg, then t € L(A). 

In contrast to the previous lemma. Lemma 0] holds only because the automaton 
A is assumed to be deterministic (see 0 for a proof). 

We are now ready to reduce the intersection emptiness problem to solving 
a system of linear equations. Let Ai,. . . ,An be deterministic looping-tree au- 
tomata with pairwise disjoint sets of states. For every Ai, we consider a system 
of equations Ei that consists of the equation of the form ([4|) induced by Ai 
together with the equation 



Now, let E be the union of the systems Ei (z = 1, . . . , n). Note that we use the 
same variable X for every equation Ei . Otherwise, the equations Ei do not share 
variables since the set of states of the automata Ai were assumed to be pairwise 
disjoint. 

We need to show that E has a solution iff L{Ai) 0 • • • 0 L{An) 0. If there 
exists t G L{Ai) n • • • n L{An), then, according to Lemma 01 for every i there 
exists a solution 9i of the equation corresponding to Ai satisfying S{t) = Vg.. 
Let 9 be the substitution defined by 0(X(g_g)) := 9i(X(^q^g)) if g is a state of Ai, 
and 9{X) := S{f). Then 9 solves the system E. Conversely, if 0 is a solution of E, 
then it solves equation {3D for every automaton Ai. In particular, by Lemma E] 
there exists a tree ti G L{Ai) such that S{ti) C Vg. Since 9 solves the equation 
corresponding to Ai, Lemma H] thus yields t\ G L{Ai) for every i. Thus, t\ G 
L{Ai) n • • • n L{An). This completes the proof of the lower complexity bound 
stated in Theorem [21 

5 Least Unifiers and Greatest Solutions 



^(^(9.s)) ■= {w*{u) I t{u) = gA r{u) = g}. 





(5) 



(q,g)^Suc 



In case a unification problem is solvable, one is usually interested in obtaining 
an actual solution. Since a given unification problem may have infinitely many 
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unifiers, one must decide which ones to prefer]^ As mentioned in the introduction, 
least unifiers are of interest in some applications. The unifier cr is a least unifier 
of an tFCj-egliFCo unification problem if it satisfies o’(X) C cr'{X) for all unifiers 
a' and variables X occurring in the problem. 

For TCq, least unifiers need not exist. For example, assume that Nc = {A} 
and Nji = {r}. Then the (trivially solvable) unification problem X = ■ X does 
not have a least unifier in TCq] however, tr with (t{X) = 'ir* .A is the least unifier 
of this problem in TC^eg- 

It is easy to see that the least unifier of a given TCreg unification problem 
corresponds to the greatest regular solution of the corresponding formal language 
equations. The solution 0 is a greatest solution of an equation of the form ([2]) (or 
m) iff it satisfies d'{X) C 9{X) for all solutions 6' and variables X occurring 
in the equation. Thus, we are interested in the existence and computability of 
greatest regular solutions of linear equations over regular languages. 

The existence of a greatest solution of a solvable equation is obvious since 
the set of solutions is closed under union. In fact, if 9j, j G J, are solutions 
of (|3j, then so is 9 with 9{X) := [jj^j 9j{X) for all variables X occurring in 
the equation. Thus, the greatest solution can be obtained as the union over all 
solutions. However, this greatest solution can only be translated into a least 
unifier if it is regular. We will show that this is indeed always the case. 

Theorem 3. Every solvable equation of the form m has a greatest solution, 
and this solution is regular. This solution may grow exponentially in the size of 
(EP, and it ean be eomputed in exponential time. 

Assume that 9 is the greatest solution of a solvable equation of the form 
We first show that this solution is regular. Lemma |2] implies that there 
exists a corresponding run rg of the automaton B obtained from the equation 
(cf. Section 1^. We proceed in three steps. 

1. We restrict B = {Q, /, A) to contain only so-called active states. The result- 
ing automaton is called B' = {Q' , I' , A'). 

2. Using B', we show that rg is regular, i.e., for every q G Q', the set {u G 

I rg(u) = q} is regular. 

3. From rg, finite automata accepting 9{Xi) are derived. 

A state g of 13 is called aetive, if L{Q, {g}. A) ^ 0, i.e., starting from g there 
exists a successful run of B. Otherwise, g is called passive. The active states can 
be computed as follows. One first eliminates all states g for which there exist 
no transitions of the form (g, . . .). One also eliminates all transitions containing 
these states. This process is iterated until no more states are eliminated. It is 
easy to see that the remaining states are exactly the active ones. Obviously, this 

® From the viewpoint of unification theory, we consider ground unifiers (i.e., substi- 
tutions whose images do not contain variables). Thus, it does not make sense to 
employ the usual instantiation pre-order on unifiers. Anyway, the equational theory 
corresponding to T Lr^g is of unification type zero, and thus most general unifiers or 
even finite complete sets of unifiers need not exist. 
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procedure needs time polynomial in the size of B. (There even exists a linear time 
algorithm for this task.) Let B' = denote the automaton obtained 

from B by eliminating all passive states. (Note that L{B') = 0 iff /' = 0.) 

To show that rg is regular, we need the following partial ordering ^ on 
transitions of a state q. Let rj = (q,qi, . . . ,qk),r]' = {q,q[, . . . ,q[.) G A', qi = 
{Gi,L„Ri), and q[ = {G[,L'^,R'^. Then, q A r]' iS G^\ {0} C G' \ {0} for all 
i = 1, . . . , fc. Note that ^ is in fact antisymmetric: If ry ^ and rj ^ ry', then 
Gi \ {0} = G' \ {0} for alH = 1, . . . , fc. Since the sets Li, Ri (L', i?') are uniquely 
determined by Gi (G') and 0 G G^ (0 £ G') is determined by Li,Ri (L',i?'), 
this yields rj = rj' . 

Now, let u G iV^. We claim that the transition ?y = {rg{u),qi, . . . ,qk) G A', 
where qi = rg{ui) =: (Gi, Li, Ri), is the greatest transition among the transitions 
of re(u) in B' . Otherwise, there exists a transition rj' = (re(u),q [, . . . , G A', 
where q[ = {G'i, L'^, R'^) , and i G {!,..., fc} such that G'i \ {0} % Gi \ {0}, i.e., 
there exists 0 yf j G G[\ Gi. We can construct a new run r' of B' that uses 
T]' at node u instead of ?y. Since, by definition of B' , the states g' in ?y' are all 
active, starting from these states there exist runs in B' . Thus, a successful run 
r' using this transition at u really exists. This run corresponds to a solution of 
©. However, in this solution ui belongs to Xj whereas this is not the case for 
the greatest solution, a contradiction. Thus, rj must be the greatest transition. 

As a consequence, if B' is in the same state at different nodes, then the same 
transition (namely, the greatest) is used by the run rg. From this, it easily follows 
that rg is regular: given g G Q' , the following (deterministic) finite automaton 
•A-q = {Q" , fc}, qi. A" , {g}) accepts the set {it | rg{u) = g}: 

- Q" := Q'; 

- qi := rg{e)-, 

- A" := |(g, i, qi) \ (g, gi, . . . , g^) is the greatest transition of g in A' 
and i = 1, . . . , fc}. 

If in Aq the set of final states is |(G, L, i?) G Q' | i G G} instead of |g}, then 
this automaton accepts the language substituted for Xi in the greatest solution. 
Thus, the greatest solution of (|3} is regular. Finally, since B' and Aq can be 
computed in time exponential in the size of 11, the upper complexity bound for 
computing the greatest solution follows as well. 

It remains to show that the size of the greatest solution may indeed grow 
exponentially. To this purpose, consider the equation 



L^{l} U • • • U Lk{k} = Lijl} U • • • Lfcjfc} U A{1, . . . , fc}, (6) 

where the L^s are regular languages over Nr. Obviously, the greatest solution is 
the one that replaces A by Li 0 • • • 0 L^,. From results shown in m it follows 
that the size of automata accepting this intersection may grow exponentially in 
the size of automata accepting L\, . . . , 

Although these results have been shown for deterministic finite automata, they easily 
carry over to the nondeterministic case. 



Unification in a Description Logic with Transitive Closure of Roles 



229 



6 Matching in J-Creg 

Matching is the special case of unification where the pattern D on the right-hand 
side of the equation C = D does not contain variables. As an easy consequence 
of Theorem [II matching in TCreg can be reduced (in linear time) to solving 
linear equations over regular languages of the following form: 

5oU^iAiU---U5„A„ = To. (7) 

For TCq, one obtains the same kind of equations, but there S'o, • . . , 5'„, To are 
finite languages, and one is interested in finite solvability. In it was shown 
that matching in TCq is polynomial, and in this result was extended to the 
DL ACM. 

For TCreg, matching is at least PSpace-hard since equality of regular lan- 
guages is a P Space-complete problem if one assumes that the languages are given 
by regular expressions or nondeterministic finite automata. Thus, the equiva- 
lence problem in TCreg is already PSpace-complete (this corresponds to the 
case n = 0 in equation dD). We can show that matching is not harder than 
testing for equivalence. 

Theorem 4. Matching in TCreg is a PSpace-complete problem. 

It remains to be shown that solvability of equations of the form 0 can be 
decided within polynomial space. Again, we consider the mirror equation 

U AiS'™* U • • • U = To™* (8) 

in place of the original equation ( 0 . The main idea underlying the proof of 
Theorem|3]is that such an equation has a solution iff a certain candidate solution 
solves the equation. 

Lemma 5. Let Li := {w \ {w}S'™* C T™}. Then equation ^ has a solution 

iff 

S'5^*UTiS'ru---UL„S'r = TT*. (9) 

In this case, the LiS yield a greatest solution of (0. 

The proof of this lemma is similar to the one for the case of finite languages 
given in [H] . It remains to be shown that the validity of identity m can be tested 
within polynomial space (in the size of nondeterministic finite automata for the 
languages S'™*, . . . , 5'™*, T™*). By definition of the sets Li, the inclusion from 
left-to-right holds iff S™* C T™*. Obviously, this can be tested in PSpace. 

How to derive a PSpace-test for the inclusion in the other direction is not 
that obvious. Here, we sketch how the inclusion T™ C TiS™* can be tested 
(the extension to the union in identity 0 is then simple). First, we define an 
exponentially large automaton for TiS™*. However, the representation of each 
state of this automaton requires only polynomial space, and navigation in this 
automaton (i.e., determining initial states, final states, and state transitions) can 
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also be realized within polynomial space. Thus, if we construct the automaton 
on-the-fly, we stay within PSpace. 

An automaton B for Li = {w \ {wjS'™* C TJ"*} can be obtained as follows. 
We construct the usual deterministic powerset automaton from the given non- 
deterministic automaton A for T™b The only difference is the definition of the 
final states. A state P of B (i.e., a subset of the set of states of A) is a final state 
iff S'™* C L^{P), where Ly[{P) is the language accepted by A if P is taken as 
its set of initial states. It is easy to see that the automaton B obtained this way 
indeed accepts Li, and that we can navigate in this automaton within PSpace. 
In particular, note that testing whether a state P of this automaton is a final 
state is a P Space-complete problem. 

The automaton C for LiS™* has as states tuples, where the first component 
is a state of B and the second component is a set of states of Ai, the nondeter- 
ministic automaton for S'™*. Transitions in the first component are those of B. 
In the second component, they are in principle the transitions of the powerset 
automaton corresponding to Ai, with the following difference: if, on input r, the 
automaton B reaches a final state, then in the second component we extend the 
set reached with r in the powerset automaton of A\ by the initial states of A \ . 
Final states of C are those whose second component contains a final state of A\. 
The initial state is (/, J), where I is the initial state of B and J is the set of 
initial states of Ai or empty, depending on whether / is a final state of B or not. 
Again, it is easy to see that navigation in C is possible within PSpace. 

To decide whether T™* C Lis'™*, we try to “guess” a counterexample (recall 
that PSpace = NPSpace). This is a word that is in T™b but not in LiS™*. The 
length of a minimal such word can be bounded by the product of the size of A 
(the nondeterministic automaton for T™*) and the size of C (the deterministic 
automaton for LiS™*). We traverse A and C simultaneously, and have a coun- 
terexample if A is in a final state and C is not. The next letter and the successor 
state in A is guessed, and the successor state in C can be computed in PSpace. 
In addition, we use an exponential counter (requiring only polynomial space) 
that terminates the search if the (exponential) bound on the length of a minimal 
counterexample is reached. 



7 Conclusion 

We have shown that unification in TCreg is equivalent via linear time reduc- 
tions to solvability of linear equations over regular languages, and that these 
problems are ExpTime-complete. If we restrict the attention to matching prob- 
lems (equations where one side does not contain variables), then the problem is 
P Space-complete. In both cases, solvable problems (equations) have least (great- 
est) solutions, which may be exponential in the size of the problem (equation) 
and which can be computed in exponential time. In addition to the application 
for description logics, we think that the results on solving linear equations over 



® Note that equation actually corresponds to a matching problem. 
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regular languages are also of interest in their own right (e.g., in formal language 
theory) . 

From the description logic point of view, one is of course also interested 
in unification in more expressive DLs, but this appears to be a hard problem. 
Recently, we have extended the decidability results to the DL obtained from 
TLreg by adding inconsistency (_L). Surprisingly, it is not clear how to handle 
the corresponding extension of TLq. 
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Abstract. Given an intuitionistic proof net of linear logic, we abstract an order 
between its atomic formulas. From this order, we represent intuitionistic multi- 
plicative proof nets in the more compact form of models of directed acyclic graph 
descriptions. If we restrict the logical framework to the implicative fragment of 
intuitionistic linear logic, we show that proof nets reduce to models of tree de- 
scriptions. 



1 Introduction 

Resource sensitivity of linear logic entails a specific form of proof: proof nets IGir871 . In 
the general framework of classical linear logic (CLL), these proof nets are not directed so 
that each extremity of a proof net can be viewed as either an input or an output; in other 
words, each formula that is attached to an extremity of a proof net can be considered 
either as an assumption (input) or as a conclusion (output) of the proof. 

If we restrict ourselves to Intuitionistic Linear Logic (ILL), things freeze in a configura- 
tion where all formulas become polarized, one as the output and the others as the inputs. 
In particular, the assumptions of the proof are fixed once and for all and there is a unique 
conclusion which is also fixed once and for all, so that every proof net becomes directed 
from its assumptions to the conclusion. F. Lamarche has devised a correctness criterion 
for these proof nets which takes their specificity into account ||Lam94| . This criterion is 
based on particular paths inside intuitionistic proof nets. 

We restrict ourselves to the multiplicative fragment of ILL (IMLL) and we use these 
paths for designing a more abstract representation of proof net in the shape of models of 
Directed Acyclic Graph (DAG) descriptions. The paths which we call dominance paths 
induce a dominance order between the atomic formulas of each proof net which grounds 
this new representation of proof nets. 

This view of proofs in the shape of models of DAG descriptions is not usual in the area of 
proof theory, it comes from the computational linguistics community. A major difficulty 
in the task of parsing sentences in natural language comes from the high degree of ambi- 
guity they possess. If we use lexicalized grammars for parsing, all different syntactic uses 
of the same word are stored in a lexicon entry. If we represent syntactic structures with 
trees, every lexicon entry can contain more than hundred trees for a word. For solving 
this problem, recent works propose to replace the manipulation of completely specified 
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syntactic trees with the manipulation of set of properties representing under-specified 
syntactic trees rVS92jRVS94IRVSW951Bla99ll . The content of every lexical entry can 
he factorized in the shape of a tree description. Parsing a sentence consists first in gath- 
ering the tree descriptions given hy the lexicon for all its words in a unique description. 
Then, the proper parsing process consists in searching for all syntactic trees that satisfy 
this description. Formally, tree descriptions are represented by classical logic first order 
formulas and the completely specified syntactic trees that satisfy these descriptions are 
represented by models of these formulas in the sense of model theory for classical logic 

rKVS94l . 

We propose to transpose this idea into the apparently very different framework of intu- 
itionistic proof nets. When we want to prove an IMLL sequent, the forest of the syntactic 
trees of its formulas provides an initial proof frame which can be viewed as an under- 
specified proof net and represented in the shape of a DAG description. This description 
expresses the under- specified dominance order between the atomic formulas present in 
the sequent. Building a proof net from this sequent by linking atomic formulas in dual 
pairs by the means of axioms amounts to finding models of the Initial description that 
completely specify the dominance order between atomic formulas. 

The interest of such an approach is to simplify the notion of proof net by keeping what is 
essential while dropping unessential information. So there is a strict equivalence between 
provability of sequents and the existence of models for DAG descriptions but in these 
descriptions, formulas such as (Fi 0 F 2 ) — ° G, Fi — o (F 2 — o G), F 2 ^ {Fi ^ G) 
are all represented in the same way. 

We can take advantage of this simplification for theorem proving in ILL but also for 
linguistic applications, namely modelling the syntax of natural languages. 

The full paper, with proofs, is available on www.loria.fr/^perrier. In both Sections 
2 and 3, in a first stage, we recall the main results about intuitionistic proof nets, which 
can been already found in ILam94H . Nevertheless, proofs of theorems are original, in 
particular that of the sequentialization theorem (Theorem I?]). Then, in a second stage, 
we address what makes the originality of the paper: the reduction of theorem proving to 
the search for models of tree or DAG descriptions. 



2 Intuitionistic Implicative Linear Logic (IILL) 

2.1 IILL Proof Nets 



In this subsection, we recall the definition of IILL proof nets and their characterization 
with Lamarche’s criterion. 

Let .A be a set of atomic propositions. If A represents any element of A, any IILL formula 
F is defined by the following grammar: F ::= A \ F ^ F. 

The two-sided IILL sequent calculus handles sequents that are constituted of IILL for- 
mulas and that have exactly one formula in their succedent. 

This calculus can be translated in the framework of the one-sided sequent calculus of 
CLL by means of polarities. Two functions O'*' and ()” map IILL formulas to CLL 
formulas according to the following definition: 
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(yl)+ = A (A)- = A-L 

(Fi ^ F2)+ = (F,)-0(F2)+ (Fi F 2 )- = (Fi)+ 0 (F 2 )- 

CLL formulas that are positive or negative translations of IILL formulas are called IILL 
polarized formulas. Their syntax can be easily established independently from the IILL 
formulas which they represent. 

IILL sequents Fi, ... ,Fn h G are translated into CLL sequents h Ff , . . . , Ff, G+. 
These sequents are called IILL polarized sequents. 

The following proposition establishes the equivalence between the one-sided and the 
two-sided presentations of IILL. 

Proposition 1. 

An IILL sequent F\, . . . , Fn L G is provable iff the sequent h Ff , . . . , Ff , G^ is 
provable in CLL. 

In CLL, proving a sequent h Ff , . . . , Ff , G+ amounts to building a proof net. This 
starts with the unfolding of the syntactic trees of the formulas Ff , ... , Ff , G+ . Since we 
are in a restricted fragment of CLL, these trees include only two kinds of links defined by 
Figure!^. The forest of the syntactic trees of the formulas Ff , . . . , Ff , G+ constitutes 





® F2 




Fig. 1. Negative and positive heterogeneous links of IILL proof nets 



an initial proof frame. Then, for proving the sequent, we have to connect each negative 
leaf with a positive leaf of the same type by means of a link which is called an axiom 
link in proof net theory. When all leaves are connected, the proof frame becomes a proof 
structure. The inputs of the proof structure represent the negative formulas Ff , . . . , Ff 
and its unique output represents G+ . 

Of course, not all proof structures are proof nets. Among the variety of correctness criteria 
for proof nets, we have chosen that of Lamarche because it uses the specific properties 
of intuitionistic proof nets. This criterion uses particular paths in proof nets, which we 
call dominance paths. These paths presuppose an orientation of proof structures by the 
polarities of their formulas: positive formulas enter links for constituting bigger formulas 
and go out of the links which produce them and that is the contrary for negative formulas. 



Definition 1. In a proof structure, a dominance path is a path that includes no negative 
premises of positive nodes except possibly as its beginning. 

An occurrence of formula Fi dominates an occurrence of formula F 2 if there is a dom- 
inance path (possibly empty) from F 2 to Fi in the proof structure. 

' Positive sub-formulas are represented by down arrows and negative sub-formulas by up arrows. 
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According to this definition and the syntax of proof structures, there is exactly one 
maximal dominance path that starts from a given formula. Either this path is infinite and 
includes one cycle or it ends at the output of the proof structure. 

Definition 2. A proof structure is a proof net if its output dominates any of its formula 
occurrences and if the positive premise of any positive link dominates the negative 
premise of the same link. 

In this definition, the first condition can be restricted to negative links and reformulated 
as follows: in a proof net, the positive premise of any negative link does not dominate 
the negative premise of the same link. In this way, the two conditions appear to be dual 
to each other. A corollary of the definition of a proof net is that the dominance relation 
is an order in a proof net. 

The notion of proof net is justified by the following theorem. 

Theorem 1. An IILL sequent , . . . , Tjj h G is provable iff there is a proof net of 



Example 1. We consider the following IILL sequent: 

a —o (b —o c), (d ^ ((d ^ b) —o c)) —o e h a e 
According to Proposition [T] the provability of this sequent in IILL amounts to the prov- 
ability of the following sequent in CLL: h a 0 (6 ® c-*-), (d-*^0 ((d 0 d-'^jOc)) 0 e-*-, 
a-*'Oe. First, we construct the proof frame. By adding axiom links, we obtain the proof 
structure given by Figure|2]which is a proof net because it verifies Lamarche’s criterion. 





t 



Fig. 2. Proof net of the sequent h O0(fe0c^), (d^O((d 0 6^)Oc)) 0 e^, a^Oe 
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2.2 Models of Tree Descriptions 

From the notion of dominance paths in IILL proof nets, we abstract a more compact 
representation of IILL proofs which only takes atomic formulas into account. In a proof 
net, the dominance order between its atomic formulas is used to represent proof nets 
as models of tree descriptions. Even if this order is not sufficient to re-build the corre- 
sponding proof net, it is sufficient to verify its correctness. 

Tree descriptions are abstract representation of IILL sequents in the shape of classical 
first order logic formulas which are defined from a set J\f of nodes. These descriptions 
are defined modulo a renaming of their nodes. If any node in J\f is denoted N , any tree 
description D is defined syntactically as follows: 

D ::= ^ I iV : I iV > I >* iV |L» A D 

Relations > and >* are respectively called immediate dominance and dominance rela- 
tions. 

Every IILL polarized formula F is translated into a tree description Descr{F) according 
to the following definition. 

Definition 3 . If F is an IILL polarized formula, then Descr(F) is a tree description 
and Root{Descr{F)) is a node of Descr{F) which are defined recursively in parallel 
as follows. 

1. if F = A, then Descr{F) = {N : A) and Root{Descr{F)) = N; 

2. if F = A-^, then Descr(F) = (N : A^) and Root{Descr{Ff) = N ; 

3. ifF = (FfOF+), then 

Descr{F) = Descr(Ff) A Descr{F2) A 

{Root{Descr{F 2 ) >* Root{Descr{Ff)) and 
Root{Descr{F)) = Root{Descr{F2 ); 

4. if F = (F^ 0 Ff), then 

Descr{F) = Descr{F^) A Descr(Ff) A 

{Root{Descr{Ff) > Root{Descr{F^)) and 
Root{Descr{F)) = Root{Descr{Ff). 

Items 3 and 4 are bound by the condition that the nodes of the two descriptions that are 
composed together are disjoint, otherwise the common nodes are renamed. 

The meaning of this translation is the following: 

- if there exists a dominance path from a positive atomic formula A to a negative 
atomic formula in the syntactic tree of F, dominates A immediately in 
Descr{F)\ 

- if it is necessary to create a dominance path from a negative atomic formula B^ to 
a positive atomic formula A in the syntactic tree of F for building a proof net from 
F, A dominates B^ in Descr{F). 
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Example 2. 

Here is the tree description that represents the syntax of the formula ® 

6-*-)Oc)) (8> e-*- already used in Example[T]: (rii : d^) A (ri 2 : d) A {n^ : b^) A (ri 4 : 
c) A (ri5 : e-*-) A (ri3 > ^2) A (ri4 >* 713) A (714 >* ni ) A (775 > 77.4) This description 
can represented graphicall)[3 (see the middle tree on the diagram of Figure[3l). 

The map Descr is naturally extended from single polarized formulas to polarized se- 
quents. The shape of the resulting descriptions is very specific and it can he characterized 
intrinsically by the following definition. 

Definition 4. An IILL tree description is a tree description such that: 

1. if N is any node of the description, there is exactly one atomic formula of type 
{N : A) or {N : >!■*') in the description; 

2. the reflexive and transitive closure of the union of dominance and immediate domi- 
nance relations is an order; 

3. every node N\ that immediately dominates a node N 2 is negative and N 2 is positive; 
moreover, N\ is the only node that immediately dominates N 2 ; 

4. every node Ni that dominates a node N 2 is positive and N 2 is negative; moreover, 
Ni is the only node that dominates N 2 ; 

5. there exists exactly one positive node that is not immediately dominated and which 
is called the root of the description. 

The first condition expresses that every node of an IILL tree description has exactly 
one label which is a proposition and the other conditions express the treeness of such a 
description with constraints on polarities. 

This definition delimits the set of IILL tree descriptions and its relationship with the set 
of IILL polarized sequents is clarified by the following theorem. 

Theorem 2. If A is any IILL polarized sequent, then Descr (A) is an IILL tree descrip- 
tion. Conversely, if D is any IILL tree description, there exits an IILL polarized sequent 
A such that Descr{A) = D. 

The previous proposition shows that the map Descr is surjective but it is not bijective 
because it erases unessential differences between logic formulas. For instance, {Fi 
{F 2 and {F 2 {Fi are translated into the same tree descriptions. 

If polarized sequents are translated into tree descriptions, proof nets are translated into 
specific models of such descriptions. Since descriptions are classical logic formulas, 
their models are models of these formulas in the sense of the model theory but they are 
constrained by additional conditions. 

Definition 5. A model of an IILL description D is a tree T together with an interpretation 
function I from the set \D\ of D nodes to the set |T| ofT nodes which respects the 
following conditions: 

1. For every node N of \T\, I~^(N) = IN-i, N 2 \ and there exists two propositions 
(TVi : A) and {N 2 : in D. 

^ Since node names do not matter, they do not appear on diagrams. 
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2. For every relation N\ > N 2 in D, I{Ni) is the parent of I {N 2 ) in T. 

3. For every relation Ni >* N 2 inD, I{Ni) is an ancestor of I {N 2 ) or equal to I {N 2 ) 
in T. 

4. If N\ is the parent of N 2 in T, there exists exactly one proposition {N[ > N 2 ) in D 
such that I{N[) = Ni and I{Nf) = N 2 - 

Condition 1 guarantees the neutrality of models and Condition 4 guarantees their min- 
imality. From the four conditions above, we can deduce that building a model of an 
IILL description amounts to plugging dual nodes of the description while respecting 
dominance and immediate dominance relations ; dominance relations are erased as soon 
as they are realized and the construction succeeds if all nodes are neutralized without 
creating cycles and if all dominance constraints are erased. 

The notion of model is linked to the notion of provability by the following theorem. 

Theorem 3. An IILL sequent F\, . . . ^Fn\~ G is provable iff there is model of the IILL 
tree description of the polarized sequent h Ff , , Ff , . 

Examples. The sequent h a C) (6 ® c-*-), {d^O{{d ^ b^)Oc)) ^ e-^ , a-*'Oe is trans- 
lated into the tree description given by Figure 0 This description has a modeQwhich 




Fig. 3. Tree description of the sequent h a (S> (b <S> c^), (d^O((d ® b^)Oc)) ® e^, a^Oe 



is presented in Figure [4l According to Theorem [3 this entails that the sequent h 
a ® (6 0 c-*-), (d-*-0 ((d ® 6-*-)Oc)) 0 e-*-, a-*- Oe is provable in CLL 

For completing the relationship between trees and IILL tree descriptions, we have to say 
how to go from any tree to an IILL tree description. This is the purpose of the following 
proposition. 

^ The nodes of the model are labelled with the pairs of formulas that come from the nodes of the 
description that they interpret. 
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d, 







Fig. 4. Model of the tree description given in Figure[3] 



Proposition 2. For any tree labelled with atomic formulas, there is a canonical way of 
building an IILL tree description which has this tree as model. 

3 Intuitionistic Multiplicative Linear Logic (IMLL) 

3.1 IMLL Proof Nets 

IMLL is an extension of IILL that results from adding a new logic connective, the tensor 
to the linear implication. Now, if A represents any proposition, any IMLL formula 
F is defined by the grammar; 

F ::= A\F ^ F\F®F 

The two functions ()+ and ()“ are extended to tensorized formulas as follows: 

(Fi 0 F2)+ = (Fi)+ 0 (F2)+ (Fi 0 Fa)- = (Fi)-0(F2)- 

Proposition [T] which establishes the equivalence between the two-sided and the one- 
sided sequent calculi applies to IMLL. Proof frames are enriched with two kinds of 
links defined by Figure |3 The definition of dominance paths does not change but the 





Fig. 5. Negative and positive homogeneous links of IMLL proof nets 



presence of negative homogeneous links makes it possible for dominance paths to fork. 
As a consequence, the correctness criterion of proof nets must be made more precise. 
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Definition 6. An IMLL proof structure is a proof net if its dominance relation is an 
ordering with the following properties: the output dominates any other formula occur- 
rences and the positive premise of any positive link dominates the negative premise of 
the same link. 

The theorem that establishes the equivalence between provability in the sequent calculus 
and provability with proof nets has a proof which is more complicated than in IILL in 
its sequentialization part. 

Theorem 4. An IMLL sequent F\, . . . , Fn l~ G is provable iff there is a proof net of 



Example 4. We consider the following IMLL sequent: 

(((/ ® g) ^ a) ^ {a® b)) ^ c, {{d®g)^c)^e h {d^ {b® /)) ^ e 

The provability of this sequent in IMLL amounts to the provability of the following 
sequent in CLL: 

I" {{{f ® g) ® a''~)0{a ® b)) ® , {(d^Og^)Oc) ® e-^ , {d ® {b^Of^))Oe 

By adding axiom links to the proof frame, we obtain the proof structure of Figure E] 
which is a proof net because it verihes Lamarche’s criterion. 



Fig. 6. Proof net of the sequent h (((/ ® ff) <8> a^)0(a (g) &)) (g)c^, ((d^O g^)Oc) (g) e^, 
(d(g) (6-^0/^))0e 



3.2 Models of DAG Descriptions 

If we try again to view proofs of sequents as models of descriptions, the main change 
that we have to do is to replace trees with DAGs. 





O 
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First, we have to extend the syntax of descriptions with the use of classical disjunction 
so that a DAG description D is defined by the following grammar: 

D ::= N ■. A \ N ■. A-^ \ N > N \ N >* N \ D A D \ Dy D 

The map Descr that turns a polarized formula F into a DAG description Descr{F) is 
more sophisticated. Now, Root{Descr{F)) is a set of nodes so that the definition of 
Descr and Root is the following: 

Definition 7. IfF is an IMLL polarized formula, then Descr(F) is a DAG description 
and Root{Descr{F)) is a set of nodes of Descr (F) which are defined recursively in 
parallel as follows. 

1. if F = A, then Descr{F) = {N : A) and Root{Descr{F)) = {iV}; 

2. ifF = A-*-, then Descr(F) = (N : A-*-) and Root{Descr{F)) = {N}; 

3. ifF = (FfOF^), then 

Descr{F) = Descr(Ff) A Descrl^F^) A (Ar=i >* ^i^)) 

Root{Descr{Ff)) = {Ai'*', . . . , A„"''} and 
Root{Descr{F:^)) = {Bi, . . 

Root{Descr{F)) = Root^Descr^F^)- 

4. if F = [F^ 0 Ff), then 

Descr{F) = Descr(F^) A Descr(Ff) A (A”=i 
Root{Descr{FA)) = {Ai, . . . , A„} and 
Root{Descr{Ff)) = {SA---,SA}; 

Root{Descr{F)) = Root{Descr{Ff). 

5. ifF = {FA 0 F 2 )’ Descr{F) = Descr(FA) A Descr(F^); 
Root{Descr{F)) = Root{Descr{FA) U Root{Descr{F 2 ); 

6. if F = {Ff OFf), then Descr(F) = Descr(Ff) A Descr(Ff); 
Root{Descr{F)) = Root{Descr{Ff) U Root{Descr{Ff); 

The four last items are bound by the condition that the nodes of the two descriptions that 
are composed together are disjoint, otherwise the common nodes are renamed. 

In the same way as for IILL, the map Descr is extended to polarized sequents. 

Example 5. Let us consider the following sequent again: 

F (((/ 0 p)0 a-‘-)0(a 0 6)) 0 c-*-, ((c?-'*Op'^)Oc)0 e-*-, (d 0 (5-^0/-'*))0e 
It is translated into the DAG description which is represented graphically by the diagram 
of Figure^ Disjunctions between dominance relations are represented by arcs of circle. 



The shape of the DAG descriptions resulting from the translation of polarized sequents 
is more complicated in IMLL than in IILL. It needs the auxiliary definition of parent 
set. 
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Fig. 7. DAG description of the sequent h (((/ (g) g)(g) o^)0(a 0 b)) 0 c^, {{d^Og^)Oc)0 
e^, (d (g) (6^0/^))0e 



Definition 8. In a DAG description D, the parent set of a positive node N is the set of 
the nodes such that {Ni > N) belongs to D and the parent set of a negative node 
N' is the set of the nodes Ni such that {Ni >* N) belongs to D. 

With this notion, an IMLL DAG description is characterized intrinsically by the following 
definition. 

Definition 9. An IMLL DAG description is a DAG description that can be put in the 
shape Diodes A Doomim A Drtom with the following properties: 

1. Diodes Is a conjunction of propositions in the form (N : L) such that N is an 
element of ff and L is a positive or negative formula; every node of ff is present 
one time at most in Diodes / 

2. Doomim is a conjunction of propositions in the form (iVi > N 2 ) such that N\ and 
N 2 are present in D Nodes with respectively a negative and a positive label; 

3. Doom is a conjunction of disjunctions in the form >* V • • • V {Np >* N) 
such that Ni, . . . , Np are present in D Nodes with positive labels and N is present 
with a negative label; 

4. the reflexive and transitive closure of the union of dominance and immediate domi- 
nance relations described by Duomim tmd Dj^om is an order; 

5. two parent sets determined by Doomim or Duom either are disjoint or one is in- 
cluded in the other and the elements of any parent set are dominated and immediately 
dominated by the same nodes. 

6. the set of positive nodes that are immediately dominated by no negative nodes is not 
empty. 
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Condition 4 expresses acyclicity of DAGs. Condition 5 expresses structural constraints 
related to the relative positions of positive and negative links in a proof net. As we will 
see in the proof of Theorem^ this condition is essential for recovering IMLL polarized 
sequents from DAG descriptions. 

Theorems. If A is any IMLL polarized sequent, then Descr{A) is an IMLL DAG 
description. Conversely, ifD is any IMLL DAG description, there exits an IMLL polarized 
sequent A such that Descr(A) = D. 

Now, we have established an equivalence between IMLL polarized sequents and IMLL 
descriptions and we have to establish a corresponding equivalence between proof nets 
and specific models of such descriptions. First, we must define the constraints that make 
the specificity of these models. 

Definition 10. A model of an IMLL DAG description D is a DAG G together with an 
interpretation function I from the set \D\ of D nodes to the set |T| of G nodes which 
respects the following conditions: 

1. For every node N of\G\, I~^(N) = iN-i, N^} and there exists two propositions 
{Ni : A) and {N 2 : A-^) in D. 

2. For every relation N\ > N 2 in D, I{Ni) is the parent of I {N 2 ) in G. 

3. In every disjunction {N\ >* N) V • • • V {Np >* N)in D, there exists at least one 
proposition (Nk >* N) such that every path that starts from I (N) in G goes through 
I{Nk). 

4. If N\ is a parent of N 2 in G, there exists exactly one proposition (7V{ > Nf) in D 
such that I{N[) = Ni and I{Nf) = N 2 . 

What is new in this definition with respect to IILL is the interpretation of dominance 
relations. First, we have to interpret disjunctions and then, the interpretation of domi- 
nance is stronger than the existence of a path in a DAG: a node N\ can be an ancestor 
of a node N 2 in a DAG but this relation is not an interpretation of a dominance relation 
if 7Vi is an ancestor of a third node which is not comparable with N 2 . 

Theorem 6. An IMLL sequent F\, . . . ,Fn h G is provable iff there is an IMLL model 
of the tree description of the polarized sequent h Ff , . . . , F ~ , G~^ . 

Example 6. Let us take again the sequent 

I- (((/ 0 5 )® a-‘-)0(o (g) &)) (g) c-*-, ((d-‘-Og-‘-)Oc)® e-*-, (d (g) (&-‘-0/-‘-))0e 
Its description, given in Figure Q has a model that is presented in Figure |8] Therefore, 
according to Theorem|6l the sequent is provable in CLL. 

For completing the relationship between DAGs and IMLL DAG descriptions, we have 
to say how to go from any DAG to an IMLL DAG description. Unlike trees, we have to 
make a restriction that uses the notion of parent set which can be easily transposed from 
DAG descriptions to DAGs. 

Proposition 3. For any DAG labelled with atomic formulas, there is a canonical way of 
building an IMLL DAG description that has this DAG as model if it respects the following 
property: if two parent sets are not disjoint, one is included in the other. 
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Fig. 8. Model of the DAG description given in Figure[7] 



4 Applications to Theorem Proving and Syntactic Analysis of 
Natural Languages 

In this paper, we have shown that proof nets in the framework of IMLL reduce to specihc 
models of DAG descriptions. Now, the question is what kinds of applications can hnd 
some interest in this new approach of proofs in linear logic. In the restricted space of 
this paper, we can merely give a flavour of possible applications. 

4.1 Theorem Proving as a Constraint Satisfaction Problem 

By reducing theorem proving to finding models of DAG descriptions, we obtain a for- 
mulation of this problem which is now monotone and can be treated as a constraint 
satisfaction problem; 

- The variables of the problem are the nodes of the descriptions. 

- There are two kinds of constraints on these variables: general constraints define the 
general shape of the models and specific constraints describe the particular sequents 
that have to be proved. 

- Problems have solutions if all constraints are satisfiable. 

For the moment, there exists no implementation of this approach but a sizeable amount 
of work has been done on the treatment of dominance constraints as finite set constraints 
IDT99H . which can be easily re-used for IMLL tree or DAG descriptions. The idea 
behind this treatment is simple but very fruitful: every node of a tree or DAG description 
is associated with an integer; then, four or five finite set variables are associated with 
every node which represent a partition of the space with respect to the node that is 
considered (up, down, left, right, equal); then, dominance constraints are expressed in 
terms of relations between sets of integers (inclusion, disjunction,. . .). 
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4.2 Models of the Syntax of Natural Languages 

Resource sensitivity of linear logic is used for modelling the syntax of natural languages 
in the approach of Categorial Grammars lMoo961Ret96ll . In this approach, grammars 
are lexicalized. The entries of lexicons are finite sets of logic formulas which represent 

syntactic types. Parsing a sentence ici Wn consists first in selecting a type Fi from 

the lexicon for each word Wi of the sentence. Then the proper parsing process consists 
in proving the formula S, which represents the sentence type, from the hypotheses 
Fi 

The consequence of this approach is that syntactic structures are represented hy proof 
nets. In these proof nets, axiom links represent syntactic dependencies between the 
constituents of a sentence. 

Since IMLL does not bring significant advantages with respect to IILL from a linguistic 
point of view, most of time we use IILL as logical framework. In this framework, the 
interest of viewing proof nets as model of tree descriptions is to simplify the formalism 
in order to keep only the pieces of information that are linguistically pertinent: tree 
descriptions represent exactly under-specified syntactic trees such as grammarians know 
them. 



np 



np 



John 





whom 



Fig. 9. Tree description representing the resources used for parsing John whom Mary knows 



Example 7. In Figure^ you find a very simple example of a tree description0represent- 
ing the resources that are provided by a lexicon for parsing the noun phrase (np) John 
whom Mary knows. For sake of simplicity, we have dropped linguistic information and 
we have only kept the syntactic types of the words in the form of linear logic formulas. 
Our lexicon gives the following respective types for the words John, whom, Mary and 
knows', np, np — o {{np — ° s) — ° np), np, np — o {np — ° s). Parsing the phase amounts 

As usually in linguistics, trees are oriented top-down. 
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to proving the IILL sequent: np, np ^ {{np — o s) ^ np), np, np — o {np ^ s) h np. 
Parsing succeeds because there is a model of the description^ which is given in Figure 
[T0]and which exactly represents the syntactic tree of the noun phrase John whom Mary 
knows. 

This approach of the syntax of natural languages allows to put a bridge between two 
apparently opposite views: a proof theoretic view and a model theoretic view [PSOIH . It 
also allows to design more flexible linguistic formalisms which take advantage of both 
resource sensitivity of Categorial Grammars and flexibility of tree descriptions pPerOO] . 



John whom Mary knows 

np 




Fig. 10. Model of the tree description of Figure ^representing the syntactic tree of John whom 
Mary knows 
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Abstract. Coercive subtyping is a general approach to subtyping, inher- 
itance and abbreviation in dependent type theories. A vital requirement 
for coercive subtyping is that of coherence - computational uniqueness 
of coercions between any two types. In this paper, we develop techniques 
useful in proving coherence and its related result on admissibility of tran- 
sitivity and substitution. In particular, we consider suitable subtyping 
rules for Jl-types and Y-types and prove its coherence and the admis- 
sibility of substitution and transitivity rules at the type level in the 
coercive subtyping framework. 



1 Introduction 

Coercive subtyping, as studied in | Luo97ILuo99ISL0T| . represents a novel general 
approach to subtyping and inheritance in type theory. In particular, it provides a 
framework in which subtyping, inheritance, and abbreviation can be understood 
in dependent type theories where types are understood as consisting of canonical 
objects. 

In this paper, we consider the issue of coherence in the framework of coercive 
subtyping; in particular, we develop techniques useful for proving coherence in 
coercive subtyping. The coherence conditions are the most basic requirement 
for the subtyping rules. In essence, it says that any two coercions between two 
types must be the same, which ensures the uniqueness of coercions (if any). 
Among other things, coherence is the basis for the whole coercive subtyping 
framework to be consistent and for it to be implemented in a correct way. A 
related important issue is that of admissibility of transitivity and substitution, 
which apart from its relationship with coherence, is essential for implementation 
of the theory. 

We shall develop methods to prove coherence and the admissibility results. In 
particular, we consider suitable subtyping rules for U and Y-types as examples 
to demonstrate these proof techniques. Although some important meta-theoretic 

* The first author thanks the support of the ORS Award and the Durham University 
studentship. This work by the second author is partly supported by the UK EPSRC 
grant GR/M75518 and the EU grant on the TYPES project. 
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results such as the conservativity result have been obtained for coercive subtyp- 
ing, the current paper is the first attempt to prove coherence and admissibility 
results at the type level in the framework. The techniques developed here have 
wider and further applications. 

In Section |2] we give an overview of coercive subtyping, presenting the formal 
framework and giving informal explanations of the coherence problem. In Sec- 
tion 121, a general strategy for proving coherence and the admissibility results is 
considered, and a formal definition of the so-called well-defined coercions is given 
as the basis for the proof techniques to be considered in the following sections. 
In Sections m and El we prove coherence and the admissibility of substitution and 
transitivity rules, respectively. Discussions are given in the concluding section 
(Section E]), where we discuss issues such as decidability and weak transitivity, 
the latter of which is important for the coercive subtyping framework and its 
applications. 



2 Coercive Subtyping and the Coherence Problem 

In this section, we give a brief introduction to coercive subtyping, explain the 
notion of coherence and its importance, and lay down the necessary formal details 
to be used in the following sections. 

2.1 Coercive Subtyping 

The basic idea of coercive subtyping, as studied in e.g., |Liio99J . is that A is 
a subtype of B if there is a (unique) coercion c from A to B, and therefore, 
any object of type A may be regarded as object of type B via c, where c is a 
functional operation from >1 to i? in the type theory. 

A coercion plays the role of abbreviation. More precisely, if c is a coercion 
from Kq to K, then a functional operation / with domain K can be applied to 
any object fcg of Kq and the application /(/cq) is definitionally equal to /(c(fco)). 
Intuitively, we can view / as a context which requires an object of K] then 
the argument fco in the context / stands for its image of the coercion, c(fco). 
Therefore, one can use /(fco) as an abbreviation of /(c(fco))- 

The above simple idea, when formulated in the logical framework, becomes 
very powerful. The second author and his colleagues have developed the frame- 
work of coercive subtyping that covers variety of subtyping relations including 
those represented by parameterised coercions and coercions between parame- 
terised inductive types. See [Luo99IBai99ICL01ILC98ICLP01j for details of some 
of these development and applications of coercive subtyping. 

Some important meta-theoretic aspects of coercive subtyping have been stud- 
ied. In particular, the results on conservativity and on transitivity elimination 
for subkinding have been proved in |,ILS98fSL01] . The conservativity result says, 
intuitively, that every judgement that is derivable in the theory with coercive 
subtyping and that does not contain coercive applications is derivable in the 
original type theory. Furthermore, for every derivation in the theory with coer- 
cive subtyping, one can always insert coercions correctly to obtain a derivation 



Coherence and Transitivity in Coercive Subtyping 



251 



in the original type theory. The main result of [ISLOlj is essentially that coher- 
ence of basic subtyping rules does imply conservativity. These results not only 
justify the adequacy of the theory from the proof-theoretic consideration, but 
also provide the proof-theoretic basis for implementation of coercive subtyping. 
(However, how to prove coherence and admissibility of transitivity at the type 
level has not been studied; this is the subject of this paper.) 

Coercion mechanisms with certain restrictions have been implemented both 
in the proof development system Lego | LP92| and Coq |B+00] . by Bailey |Bai99| 
and Saibi |Sai97j . respectively. Callaghan of the Computer Assisted Reasoning 
Group at Durham has implemented Plastic p7n] . a proof assistant that sup- 
ports logical framework and coercive subtyping with a mixture of simple coer- 
cions, parameterised coercions, coercion rules for parameterised inductive types, 
and dependent coercions |LS99] . 

A formal presentation. Here, before discussing further the problems of co- 
herence and transitivity, we first give a formal presentation of the framework of 
coercive cubtyping, which is also the basis for our development in latter sections. 
We shall be brief in this paper (for details and more explanations, see [Ijiio99| ). 

Coercive subtyping is formally formulated as an extension of (type theories 
specified in) the logical framework LF [Luo94j , whose rules are given in Appendix 
A. In LF, Type represents the conceptual universe of types and {x : K)K' rep- 
resents the dependent product with functional operations / as objects (e.g., 
abstraction [a; : K]k) which can be applied to objects of kind K to form appli- 
cation f(k). LF can be used to specify type theories, such as Martin-Lof’s type 
theory |NPS90J and UTT |Luo94J . 

For example, 7T-types, types of dependent functions, can be specified by in- 
troducing the constants for (1) formation: 7T(A, B) is a type for any type A and 
any family of types B, (2) introduction: A(A, B, /) is a function of type n{A, B) 
if / is a functional operation of kind {x : A)B{x), and (3) elimination, from which 
we can define the application operator app{A, B , F, a) . Similarly, we can intro- 
duce A-types S(A,B) with introduction operator to form pair(A,B,a,b) and 
an elimination operator from which the projections 7 Ti(A, i?,p) and tt 2 {A, B,p) 
can be defined. 

Notation. We shall use the following notations: 

• We shall often omit the ALoperator in LF to write A for El{A) when no 
confusion may occur and may write (K)K' for {x : K)K' when x does not 
occur free in K' . 

• We sometimes use M[x\ to indicate that variable x may occur free in M and 
subsequently write M[N\ for [N/x\M, when no confusion may occur. 

• Functional composition: for /: {Ki)K 2 and g\ (y : K 2 )K'i[y\, define g o 
/ =df [x : Ki]g{f {x)): {x : Kx)Kz[f{x)], where x does not occur free in 
/ or g. 

• Context equality: for F = x\ \ Ki, ...,Xn ■ Kn and F' = x\ : K[, ...,Xn : K'„, 

we shall write h F = T' for the sequence of judgements h Ki = ..., 

Xi . Ki , .. . , Xji— 1 . Kji— I F Ain — Alyj. 
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A system with coercive subtyping, T[7?.], is an extension of any type theory 
T specified in LF by a set of basic subtyping rules TZ. It can be presented in two 
stages: first we formulate the intermediate system T[7^]o with subtyping judge- 
ments of the form F \- A <c B\ Type, and then add the subkinding judgements 
of the form F \- K <c K' and rules concerning coercions between kinds. 

T[7^]o is an extension of T (only) with the subtyping judgement form F h 
A <c B: Type and the following rules: 

• A set 7?. of basic subtyping rules whose conclusions are subtyping judgements 
of the form F \- A <c B: Type. 

• The following congruence rule for subtyping judgements 



{Cong) 



F \~ A <c B\ Type 

F\- A = A'-. Type F^ B ^ B': Type F^ c=F: {A)B 
F \- A' <c> B': Type 



In the presentation of coercive subtyping in [ILuofifij . T[7^]o also has the fol- 
lowing substitution and transitivity rules: 



F,x : K,F' ^ A<^ B: Type F^k:K 
F, [k/x]F' h [k/x]A <[k/x]c [k/x\B:Type 

F \- A <c B: Type F h B <c' C: Type 
F\- A <c'oc C: Type 

Since we consider in this paper how to prove that the substitution and transi- 
tivity rules are admissible, we do not include them as basic rules. 



(Subst) 

{Trans) 



Remark F We have the following remarks. 

• T[7?.]o is obviously a conservative extension of the original type theory T, 
since the subtyping judgements do not contribute to any derivation of a 
judgement of any other form. 

• The set of basic coercion rules is supposed to be coherent; we shall give 
definition and discussions of this in the next subsection. 

The system T[72.], the extension of T with coercive subtyping with respect to 
TZ, is the system obtained from T[7^]o by adding the new subkinding judgement 
form F \~ K <c K' and the rules in Appendix B. Note that the substitution 
rule and the transitivity rule for kinds (the last two rules in Appendix B) can 
be eliminated under the assumption that the set of basic subtyping rules TZ is 
coherent jSLOH. 



Notation. Since we are not much concerned with the subkinding judgements 
and are mainly concerned with the subtyping judgements, we shall simply write 
F \- A <c B for T h A <c B:Type, when there is no confusion may occur. 
Sometimes, we shall also write F \- A = B for F \- A = B: Type. 
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2.2 Coherence of the Basic Subtyping Rules 

The basic subtyping rules are the basis for the coercive subtyping system. Ex- 
amples of such rules include 

• simple coercion declarations such as those between basic inductive types: 
Even is a subtype of Nat; 

• parameterised coercions representing (point-wise) subtyping (or subfamily 

relation) between two families of types indexed by objects of the same type; 
for example, each vector type V ec{A, n) can be taken as a subtype of that of 
lists List(A), parameterised by the index n, where the coercion would map 
the vector < > to the list [ai,...,a„]. 

• coercions between parameterised inductive type: e.g., E{A,B) is a subtype 
of S{A' , B') if A is a subtype of A' and R is a subfamily of B' . 

The most basic requirement for such basic subtyping rules is that of coher- 
ence, given in the following definition, which essentially says that basic coercions 
between any two types must be unique. 

Definition 1 (coherence condition). We say that the basic subtyping rules 
are coherent if T[TZ]o has the following coherence properties.' 

1. If r \- A <c B: Type, then T \- A: Type, T h B: Type, and The: {A)B. 

2. T \/ A <c A: Type for any T, A and c. 

3. If T \- A <c B: Type and T \- A <c' B: Type, then T h c = ch {A)B. 



Remark 2. This is a weaker notion of coherence as compared with that given 
in [Luo99j . since there the rules {Subst){Trans) are included in T[IZ]q. In 
general, when parameterised coercions and substitutions are present, coherence 
is undecidable. This is one of the reasons one needs to consider proofs of 
coherence in general. 

Examples of basic coercion rules include those mentioned above, among which 
one can find the lifting operators between type universes, overloading coercions, 
etc. Also, for example, for parameterised 7T-types and A-types, we can have 
their subtyping rules as given in Figure [1] and Figure [2l Note that these rules 
are suitable ones for which we can show that transitivity is admissible. If one 
chose inductively defined coercions, strong transitivity would not be admissible 
(see Section o for discussions.) 

3 Well-Defined Coercions 

As mentioned above, unless the coercions can be represented as a finite graph, 
coherence is in general undecidable, especially when we have parameterised co- 
ercions. So we need to consider how to prove coherence and the related admis- 
sibility results. 
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Domain rule 

r A' A r B : {A)Type 
rhn{A,B) <a, n{A',Boc) 

where di = [f : II {A, B)]X{A' , B o c, app{A, B, f) o c). 

Codomain rule 

r\- B: {A)Type Th : {A)Type B,x:A\- B{x) <e^ B' {x) 
r'rn{A,B) <d2 n{A,B') 

where c ?2 = [/ : II{A, B)]X{A, B' ,[x : A]e[x]{app{A, B, f,x))). 

Domain- Codomain rule 

r A' <c A r B ■. {A)Type B B' : {A')Type 
r,x : A' \- B{c{x)) <e[a:] B'{x) 

Bh n{A,B) <a, n{A',B') 

where da = [/ : il(^, B)]X{A', B' , [x : A']e[x]{app{A, B, f, c{x)))). 

Fig. 1. Basic subtyping rules for 77-types. 

First Component rule 

B\- A<^A' B\- B : (A')Type 
Bh E{A, Bo c) <di B{A',B) 

where di = [x : B{A, B o c)]pair{A' , B, c(7Ti(yl, B o c, x)), 'K 2 {A^ B o c, x)). 

Second Component rule 

B\- B: {A)Type Th B' : {A)Type B,x : AV- B{x) <ep] B' {x) 

B'r E{A,B) <d 2 B{A,B') 

where da = [a; : E{A, B)]pair{A, B' , -n:i(A, B, x), e[7ri(Tl, B, x)]{tv 2 {A, B, x))). 

First- Second Component rule 

B A A' B B ■. {A)Type B B' : [A')Type 
B,x: AV- B{x) <e[a:] B'{c{x)) 

B^E{A,B) <a, E{A',B') 

where ds = [x : E{A, B)]pair{A\ 73', c(7ti(A, 73, *)), e[-7ri(yl, 73, a:)](7T2(7l, 73, *))). 
Fig. 2. Basic subtyping rules for Y-types. 



A general strategy we adopt is to consider such proofs in a stepwise way. 
That is, if we know that some existing coercions (possibly generated by some 
existing rules) are coherent and have good admissibility properties, and we add 
some more subtyping rules, can we show that the newly extended system is still 
coherent and has good admissibility properties? This has led us to define the 
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following concept of well-defined coercions. We shall then use subtyping rules 
for n and If-types to demonstrate how coherence etc can be proved. 
Definition 2 (Well-defined coercions). IfC is a set of subtyping judgements 
of the form F V- M <d M': Type which satisfies the following conditions, we say 
that C is a well-defined set of judgements for coercions, or briefly called well- 
defined coercions (WDC).- 

1. (Coherence) 

a) r \~ A <c B G C implies F \- A : Type , F \- B : Type and The: {A)B. 

b) F \- A <c A ^ C for any F , A , and c. 

c) F V- A <ci B G C and F 'r A <c^ B G C imply F \- c\ = C 2 '- {A)B. 

2. (Congruence) F \- A <c B G C, F \- A = A' , F \- B = B' and F \- c = 
c'\ {A)B imply F \- A' <c' B' G C. 

3. (Transitivity) F \- A <d B G C and F \- B <C 2 A' G C imply F 1- A <C 3 A' 
G C for some C 3 such that T h C 3 = C 2 o ci: {A)A' . 

4 . (Substitution) F,x : K, F' \- A <c B G C implies for any k such that F \- k : 
K, F, \k/x]F' h \k/x\A <c' \k/x]B G C for some d such that F, \k/x\F' h 
d =[k/x\c-.{[k/x\A)[klx\B. 

5. (Weakening) F \- A <c B G C, F C F' and F' is valid imply F' \- A <c B 
G C. 

Remark 3. A WDC can be thought of as a set of coercions generated from some 
basic coercions, some basic subtyping rules, and the rules {C ong){Subst){Trans) 
and that of weakening. 

We have the following properties of WDCs. 

Lemma 1. 

1. If F \- A <ci B G C, F \- B' <C 2 A' G C and F \- B = B' , then F \- A <(,3 A' 
G C for some C 3 and T h C 3 = C 2 o ci: (A)A' . 

2. IfF,x: K,F' d A<^B G C, Fd K = K' , then F,x : K',F' d A<^B gC. 

3. If Fd A<^B G C,d F = F' , then F' d A<^B G C. 

4 . If F d A B G C, F' d A' <^, B' G C, d F = F' , F d A = A' and 
Fd B = B', then Fd c = d\ {A)B. 

In the following sections, we shall consider the system of coercive subtyping 
whose basic subtyping rules (72.) consist of the following rule, where C is a WDC: 

Fd A <c B-.Type G C 
Fd A <^B: Type 

and the II and A-subtyping rules in Figures [Hand (2 Furthermore, we assume 
that for any judgement F d A B G C, neither A nor B is computationally 
equal to a 7T-type or a A- type. We denote the derivable subtyping judgements 
of this system by Cm . We also assume that the original type theory T has good 
properties, in particular the Church-Rosser property and the property of context 
replacement by equal kinds. In the following two sections, we shall show that 
Cm is also a WDC. 

Remark 4- The above system is equivalent to T[72]o where 72 consists of (C) 
and the IT/ S subtyping rules. 
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4 Coherence 

In this section, we give a proof of coherence of basic subtyping rules of 77-types 
and if- types. 

Lemma 2. If F \- Mi <d M 2 € Cm, then one of the following holds: 

• r \- Ml <d M2 G C; 

• Both Ml and M 2 are computationally equal to II -types; or 

• Both Ml and M 2 are computationally equal to S-types. 

Proof. By induction on derivations. If 7^ h Mi <d M 2 ^ C, its derivation must 
end with a 77-subtyping rule, a 77-subtyping rule, or the congruence rule. If it is 
one of the 77 or H-subtyping rules, then we know both Mi and M 2 are 77-types 
or 77- types. If the last rule is the congruence rule (Cong), 

r\- M[ <^, Mf.Type F h Mi = M[ ■. Type T = M^- Type T h d' = d: (M^Mj 

r h Ml <d M2 



then by induction hypothesis, the lemma holds for F h M[ <d> If both 717{ 
and M 2 are computationally equal to 77-types or 77-types, so are Mi and 7172. 
If 7^ h 7V7( <d' M 2 € C, then F h Mi <d M 2 € C because C is a WDC, which is 
closed under congruence. □ 

Lemma 3. 

7. IfFh n{A, B) <d n{A', B') G Cm then F 'r A = A' or F 'r A' A £ Cm 

for some c. 

2. IfFh S{A,B) <d S{A',B') G Cm then F \- A = A' or F \- A <,1 A' e Cm 
for some c. 

3. If F h n{A,B) <d n{A',B') e Cm and F h A = A' then F,x : A \- 
B{x) <e[x] B'{x) G Cm for some e. 

4 . If F h 77(4,5) <d 77(4', 5') € Cm and F h A = A' then F,x : A h 
B{x) <e[x\ B'(x) G Cm for some e. 

5. IfFh n{A, B) <d n{A\ B') G Cm and F h A' <a A e Cm then F,x : A' h 
B{c{x)) = B'{x) or F,x A' h B{c{x)) <e[x] B'{x) G Cm for some e. 

6 . If F h 77(4, 77) <d 77(4', B') G Cm and 7^ h 4 <c 4' G Cm then F,x : Ah 
B{x) = B'{c{x)) or F,x : Ah B{x) <e[x] B'{c{x)) G Cm for some e. 

Proof. By induction on derivations. We only consider the first statement; the 
proofs of the others are similar. For the first, a derivation of the judgement 
F h 77(4, B) <d n{A' , B') must be of the form 



one of three 77 — subtyping rules 
rh77(4i,5i) <d- 77(42,52) 



...{Congruence rules)... 



5 h 77(4, 5) <dn{A',B') 
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where F h F[{Ai, Bi) = n{A, B): Type, F h 77(^2, B 2 ) = F[{A' , B'): Type, and 
F h d' = d: {C)C for some C and C computationally equal to II{A,B) and 
Fl{A',B'), respectively. Hence, by the Church-Rosser theorem of the original 
type theory T and conservativity of T[7?.]o over T, F \- A\ = A, F \- B\ = B, 
F A2 = A' and F \- B2 — B' . So F \- A = A' or F A' A hy the 
congruence rule. □ 

Lemma 4 . If F \- M\ <c M2 G Cm, then F M\ = M2- 

Theorem 1 (Coherence). If F \- M\ <d M2 £ Cm, T' h M[ <4, M^ £ Cm, 
^ F = F', F\- Mi= M[, and F h M2 = M^ then T h d = d': (Mi)M2. 

Proof. By induction on derivations. By Lemma[21 we only have to consider the 
following cases. 

• F \- Ml <d M 2 £ C. Then, none of M\ and M 2 is computationally equal 
to a 7T-type or If-type. Therefore, nor is M[ or M^. So, by Lemma [H F' h 
M[ <d' M 2 £ C. Now, by Lemma [IJ2), we have T h d = d': {Mi)M 2 - 

• Both Ml and M 2 are computationally equal to 77-types. Then any derivation 
of 7^ h Ml <d M 2 contains a subderivation whose last rule is one of the 77- 
subtyping rules followed by congruence rules. We only consider the case the 
77-subtyping rule concerned is the third rule in Figure [H i.e., the derivation 
is of the form 



F A 2 <c Ai F,x: A 2 V~ Bi{c{x)) <e[x] B 2 {x) 

Th77(Ai,Ri) n{A2,B2) 

...{Congruence rules)... 



F h Ml <d M 2 

where F h II{Ai,Bi) = Mi, F h 77(H2,7?2) = M 2 , and 7^ h di = 
d‘. {Mi)M2. 

Now, it must be the case that any derivation of F' h 717( <d' M^ must 
contain a subderivation whose last rule is also the same 77-subtyping rule as 
above, followed by applications of the congruence rule; i.e., it must be of the 
form 



r h A '2 A'l F',x: A '2 h B'i(c'(x)) <eq,] B' 2 (x) 
F'hH(A'i,B'i) <d> II(A'2,B') 



...{Congruence rules)... 



F' h M[ <d' M!2 
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where r' h n{A[,B[) = M[, F' h n{A'^,B'2) = M^, and B' \- d' = 
d[: {M[)M2- To see this is the case, by Lemma [S] we only have to show 
that 

1. r'\/ A^2 = ^1. and 

2 . r,x:A'2VB[{c'{x)) = B!2{x). 

For the first case, since B h Mi = M[ and B h M2 = M2, we have 
B h n{Ai,Bi) = n{A'i,B'i) and B h 77(^2, -83) = 7T(A'2,B^). Hence, by 
Church-Rosser theorem in T and conservativity of T[7^]o over T, T h Hi = 
H'l , B \- Bi — B'l , B \- A2 = A'2 and B \~ B2 = B'2 . As T h H2 <c Hi, we 
have by Lemma lU B \/ A2 = Ai. So B' \/ A'2 = Hp 

For the second case, a similar argument suffices, except that we use the fact 
that, by the argument of the first case and induction hypothesis, _T h c = 
c': (H2 )Hi. 

Since the derivations must be of the above forms, by induction hypothesis, 
we have F h c = c': (H2)Hi and B,x : A2 F e[x] = e'[x]: {Bi{c{x)))B2{x). 
Hence B \- d = d': {Mi)M2- 

• Both Ml and M2 are computationally equal to A-types. The proof of this 
case is similar to the above case. □ 

5 Admissibility of Substitution and Transitivity 

In the presentation of coercive subtyping in [ILuo99j . substitution and transi- 
tivity are two of the basic rules in the theoretical framework. However, in an 
implementation of coercive subtyping, these rules are ignored simply because 
that they cannot be directly implemented. For this reason among others, prov- 
ing admissibility of such rules (or their elimination) is always an important task 
for any subtyping systems. 

In this paper, we do not take substitution and transitivity as basic rules, but 
we prove that they are both admissible when we extend a WDC by the 7T and 
A-subtyping rules. In order to prove admissibility of transitivity, we also need 
to prove the theorem about weakening. 

Theorem 2 (Substitution and weakening). 

1. (Substitution) If B,x : K,B' h Mi <d M2 G Cm and B \~ k \ K, then 
B, [k/x]B' h [k/x]Mi <d' [k/x\M2 € Cm for some d' such that B, [k/x]B' h 
d' = [k/x]d: {[k / x]Mi)[k / x]M2 ■ 

2. (Weakening) If B \- Mi <d M2 G Cm , T C B' and B' is valid then B' h 
Afi <d M2 G Cm ■ 

Proof. By induction on derivations and using Lemma E] □ 

To prove the admissibility of transitivity, the usual measures (e.g., the size 
of types concerned) do not seem to work (or even to be definable), since types 
essentially involve computations. We use a measure developed by Chen in his 
PhD thesis |Che98j , which only considers subtyping judgements in a derivation, 
defined as follows. 
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Definition 3 (depth). Let D he a derivation of a subtyping judgement of the 
form r L A <c B: Type. Then 

1 . If the last rule of D is 

T \- A <c B : Type G C 
T h A <c B: Type 

then depth{D) = 1. 

2 . If the last rule of D is 

Si , . . . , Sn j T)i^ . . . , D.UI 

r \- A <c B: Type 

where S\, Sn are derivations of subtyping judgements of the form 
T' h A' <c' B':Type and Di, D.^n cife derivations of other forms of 
judgements, then depth{D) = max{depth{Si) , depth(Sn)} + 1- 

The following lemma shows that, from a derivation D of a subtyping judge- 
ment J one can always get a derivation D' of the judgement obtained from J 
by context replacement such that D and D' have the same depth. 

Lemma 5 . 

1 . If T = r' , r h Ml <d M2'.Type G Cm, O'lT'd D is a derivation of T \- 
Mi <d M2'.Type, then 

a) T' h Ml <d M2'. Type G Cm, o,nd 

b) there is a derivation D' of T' h Mi <d M2'Type sueh that depth{D) = 
depth{D'). 

2 . If T,x : El{A),r' h Mi <c^ M2-Type G Cm, T \- A' <C2 A : Type G Cm, 
and D is a derivation of T,x : El{A),T' h Mi <d M2: Type, then 

a) B,y : El{A'),[c2{y) /x]T' h [c2(y)/a:]Mi <^3 [c2(y) /a:] M2: Type G Cm 
for some C3 such that T,y : El(A'), [c2(y)/x]T' h C3 = [c2(y)/a;]ci: 
([c2(y)/a;]Mi)[c2(y)/a;]M2, and 

b) there is a derivation D' of E,y : El{A'),[c2{y)/x]T' h [c2(y)/a:]Mi <c^ 
[c2 (2/) /a:] M2: Type such that depth{D) — depth{D'). 

Proof. By induction on derivations. The key point is that, in the proofs briefly 
described below, the size of a derivation may change, but the depth of a deriva- 
tion, which only counts the subtyping judgements, does not. 

1. For (1), in the base case, we use Lemma [1(3), and in the step cases, the 
theorem of context replacement by equal kinds in T and conservativity of 
T[7?.]o over T. 

2 . For ( 2 ), in the base case, we use the fact that, if T, a: : El{A),T' h 
Mi M2'.Type G C, then T,y : El{A'),[c2{y)/x]r' h [c2(y)/a;]Mi <^3 
[c2(y)/a;]M2: 

Type G C for some C3 such that T,y : El(A'), [c2{y)/x]T' F C3 = [c2(y)/a;]ci: 
{[c2{y)/x]Mi)[c2{y)/x]M2. In the step cases, use of induction hypothesis suf- 
fices. □ 

Now, we can prove the admissibility of transitivity. 
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Theorem 3 (Transitivity). If F \- M\ £ Cm, r h <^2 Ms £ 

Cm 0''nd r h M2 = M2, then F h M\ <^3 M3 £ Cm for some such that 
T h c?3 = ^2 o di: {Mi)M^. 

Proof. By induction on depth{D) +depth{D'), where D and D' are derivations 
of T h Ml M2 and F h M^ <^3 M3, respectively. In the base case, we 
have that the judgements F h Mi <^3 M2 and F h M2 <d2 M3 are both 
in C. By Lemma 01), we have T h Mi M3 £ C for some ^3 such that 
F \- d3 = d2 o dp. (MijMs. 

In the step case, if T h Mi <d^ M2 and F h M^ <^2 -^3 are both in C, 
then a similar argument as the base case suffices. Otherwise, we have that either 
F h Ml <d„ M2 or T h M2 <d2 M3 is not in C. Therefore, by Lemma[ 2 ]and the 
assumption that F h M2 = M^, all of Mi, M2, M2 and M3 are computationally 
equal to 7 T-types or if-types. We only consider the case that they are equal 
to il-types. Suppose that the derivation D and D' be of the following forms 
(we only consider the only more difficult example among the combinations of 
il-subtyping rules): 

D\ D2 

F\- A2 <ci Ai F,X : A2I- Bi(ci(x)) <eq2:] B2(x) 

FhIT(Ai,Bi) <d' n(A2,B2) 

...{Congruence rules)... 



F b Ml <^3 M2 

where F h n{Ai,B{) = Mi, T h B{A2,B2) = M2, T h d[ = dp (Mi)M2 and 
d'l = [f ■ n{Ai,Bi)]X{A2,B2, [x : A2]ei[x]{app{Ai,Bi, f,ci{x)))), and 



D[ D'2 

FI- A3 <C2 A'2 F,x: A3\- B'2 {c2{x)) <^2[x] ^3(2:) 
F\- B{A'2,B'2) <d'^ B{A 3 ,B 3 ) 

...{Congruence rules)... 



F^M!2 <d2 M3 

where F h B{A'2,B'2) = M^, T h 77(^3,53) = M3, T h d'2 = ^2 : {M^)Ms and 
d'2 = if ■ n{A'2,B'2)]X{A3,B3, [x : A3]e2[x]{app{A'2,B'2, f,C2{x)))). We obviously 
have depth{Di) < depth{D), depth{D2) < depth{D), depth{D'i) < depth{D'), 
and depth{D'2) < depth{D'). 

Now, since F h M2 = M^, we have by Church- Rosser theorem of T and 
conservativity of T[ 72 .]o over F, F \- A2 = A'2 and F \- B2 = B'p. {A2)Type. From 
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the former, F \- <c^ A2 by the congruence rule. By Lemma| 5 l 2 ), F,x : A^\- 

Bi{c\{c2{x))) <e3[x] B2 {c2{x)) for some 63 such that F,x : A^h eslx] = ei[c2(a::)] 
and there is a derivation H3 of the judgement F,x : A3 h i?i(ci(c2(x))) <63(2:] 
B2(c2(x)) and depth{D3) = depth{D2) < depth{D). 

Now, we have 

depth(Di) + depth{D[) < depth{D) + depth(D') 

depth{D3) + depth{D'2) < depth{D) + depth(D') 

By induction hypothesis, there is C3 such that F \- A3 <^3 Ai G Cm and 
fo h C3 = Cl o C2: (^3)^1. And because A, a; : A3 h B2{c2{x)) = i?2(c2(x)) (as we 
have F \- B2 = B'2. (A2)Type), by induction hypothesis, there is 64 such that 

r,a: : A 3 h Bi{ci{c2{x))) B3{x) G Cm 

fo,a; : A3 h C4[a;] = C2[a;] o 63(2;]: (.Bi(ci(c2(a;))))B3(x). 

Hence F,x : A3 h C4[x] = C2[x] o ci[c2(x)]: (Hi(ci(c2(x))))H3(x). So by the 
Domain-Codomain rule (the third rule in Figure [IJ, F h 77 (Ai,i?i) <^3 
F[{A3,B3) G Cm, where 

ds =df [/ : n{Ai,Bi)]\{A3,B3, [x : A2]e4[x]{app{Ai,Bi, f,C3{x)))) 

and we have d3 = d2° d\. Finally, by the congruence rule, we have F h M\ <^3 

M3€Cm- □ 

Corollary 1 . Cm a WDC. 

Proof. By Lemma 0 and Theorems m | 2 ] and 0 □ 



6 Discussions 

In this section, we briefly discuss several issues of interest such as those concern- 
ing decidability and transitivity, and related work. 



6.1 Decidability 

Once we have proven coherence and admissibility of substitution and transitivity 
(as we have done for 7T and A-subtyping rules), we can be sure that coercion 
searching is decidable for Cm A h is decidable for C; in other words, it is decidable 
whether F \- A <c B:Type is derivable. One can give a sound and complete 
algorithm to do this. We omit the details here. This is of course important in 
implementations. 
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6.2 Weak Transitivity 



The transitivity rule (Trans) states that c' o c is a coercion from A to C if c 
and c' are coercions from ^ to -B and from B to C, respectively. In fact, this 
transitivity rule is very strong. For instance, if we introduce subtyping rule for 
lists: 

r \- A <c B : Type 
r h List(A) <4 List(B) : Type 

where d is defined inductively such that d(nil(A)) = nil(B) and 
d(cons(A,a,l)) = cons(B,c(a),d(l)), then the rule (Trans) fails to be admissi- 
ble. 

A weaker version is 



(WTrans) 



Th A< B Th B <C 

rh A < C 



where the judgement T \- A < B means that ‘T \- A <c B for some c’. In 
fact, this weaker version of transitivity seems to be better suited to the wider 
applications. Furthermore, if the type theory T has a propositional equality =a 
(e.g., Leibniz’s equality or Martin-Lof’s equality type), we can prove that 

• If r \- A <c B, r h B <d C, and T \- A <e C, then e is extensionally equal 
to d o c in the sense that the proposition Vx : A.e(x) =c d(c(x)) is provable 
in the type theory. 

The admissibility of weak transitivity and the above extensional justification will 
be discussed in a forthcoming paper [LLSOl] . And the admissibility of (Trans) 
rule and (WTrans) rule in extensional type theory needs futhur study. 



6.3 Related Work 

Besides those mentioned above, the related work includes previous meta- 
theoretic studies about coercive subtyping. One of the future tasks to be done 
is to consider how the conservativity result and related work at the kind level 
[ISL01| can be related to the current development and hence to obtain an overall 
better understanding of the framework. We should mention again Chen’s work 
| |Che98| . in particular his development of the depth measure, which seems to be 
very useful in proving admissibility of transitivity. 
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Appendix A 

The following gives the rules of the logical framework LF. 

Contexts and assumptions 

P\- K kind X ^ FV{P) F,x: K, F' valid 

{) valid F,x:K valid F,x:K,F'\~x:K 




264 



Y. Luo and Z. Luo 



Equality rules 

K kind K = K' F 'r K = K' F 'r K' = K" 

F\- K = K F^ K' = K F'r K ^ K" 

F^k-.K F^k = k'-.K F ^ k = k'-. K F ^ k' = k" ■. K 

F\- k = k:K F^k' = k-.K Y h fc = k”: K 

F\-k:K F^K^K' F^k = k'-.K F ^ K = K' 

F\- k:K' F\-k = k':K' 

Substitution rules 

F,x: K, F' valid F k: K 
F, [k/x]F' valid 

F,x: K,F' K’ kind F \- k: K F,x: K,F' ^ K' kind F\- k = k':K 
F, [k/x]F' h [k/x]K' kind F, [k/x]F' h [k/x]K> = [k'/x]K' 

F,x : K,F' 'r k':K' F \- k: K F,x : K, F' ^ k' : K' F \- ki = k2: K 
F,[k/x]F' h [k/x]k':[k/x]K' F, [ki/x]F' h [ki/x]k' = [fe/*]fc': [ki/x]K' 

F,x : K,F' 'r K' = K” F k: K F,x : K, F' k' ^ k”: K' F k: K 
F, [k/x]F' h [k/x]K’ = [k/x]K” F, [k/x]F' h [k/x]k' = [k/x]k”: [k/x\K' 

The kind Type 

F valid F\~A:Type F\-A = B\Type 

F h Type kind F h El (A) kind F h El{A) = El{B) 

Dependent product kinds 

F\- K kind F,x: K'r K' kind F ^ Ki = K2 F,x : K[ = K'^ 

F'r{x:K)K' kind F \- {x : Ki)K[ = {x : K2)K'^ 

F,x : K \- k-.K' F \- Ki = K2 F, x : Ki ki = k2: K 

F\-[x: K]k: {x : K)K' F ^ \x : Ki]ki = [x : ^'2]^: [x : Ki)K 

F\- f:{x: K)K' F k: K F f = f : {x : K)K' F \- ki = k2: K 

Fh f{ky.[k/x]K' Fh f{ki) = f'{k2y.[k,/x]K' 

F,x: k'-.K' F k: K F f: {x : K)K' x ^ FV{f) 

F\- {[x: K]k'){k) = [k/x]k': [k/x]K' F [x : K]f{x) = f:{x: K)K' 

Appendix B 

The following are the inference rules for the coercive subkinding extension T[7^] 
(not including the rules for subtyping). 

New rules for application 

F\- f-.{x: K)K' F'rko-.Ko F V- Ko <, K 
F h /(fco): \c{ko)/x]K’ 

r h / = /': (a; : K)K' F'rko = kyKo F V- Ko <c K 
F^ f{ko)^ f'{k'^y.[c{ko)/x\K' 
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Coercive definition rule 

r\- f:{x: K)K' F 'r ko'. Kq T h Ko K 
f{ko) = f{c{ko))-.[c{ko)/x\K' 

Basic subkinding rule 

r \- A <c B\T ype 
r h El{A) <c El{B) 

Subkinding for dependent product kinds 

r\- K[=Ki r,x : K[\- K 2 <o K '2 r,x:KiV- K 2 kind 

B {x . Ki')K 2 ^[f:(x:Ki)K2][x:K^^]c(f(x)) 

K[<cKi r,x:K[\- [c{x)/x]K 2 ^ K '2 B,x:Ki^ K 2 kind 

B (x . I^^')K2 ^[/:(3:;Xi)iC2][x:iC']/(c(a;)) 

B^ K[ Ki B,x:K[\- [ci{x)/x]K 2 <C 2 B,x:Ki\- K 2 kind 
B (^X . Ki)K 2 ^[f:(x:Ki)K2][x:K*^]c2(f(ci(x))) • ^l)^2 

Congruence rule for subkinding 

B\- Ki<aK2 B^ Ki^K[ B\- K2^K'2 B\- c = c': {Ki)K2 

BhK[ <,, 

Transitivity and substitution rules for subkinding 

B\- K <^K' B^ K' <^, K” B,x: K,B' \- Ki K 2 B \- k: K 
BhK <,,oc K" B, [k/x]B' h [k/x]Ki <[k/x]c [k/x]K 2 
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Abstract. Reasoning by induction is common practice in compnter sci- 
ence and mathematics. In formal logic, however, standard indnction prin- 
ciples exist only for a certain class of inductively defined structures that 
satisfy the positivity condition. This is a major restriction considering 
that many strnctures in programming langnages and logics are best ex- 
pressed nsing higher-order representation techniques that violate exactly 
this condition. In this paper we develop induction principles for higher- 
order encodings in the setting of first-order intuitionistic logic. They dif- 
fer from standard induction principles in that they rely on the concept 
of worlds |Sch01| which admits reasoning abont open terms in regularly 
formed contexts. The soundness of these induction principles follows from 
external termination and coverage considerations about a realizability 
interpretation of proofs. 



1 Introduction 

Reasoning by induction is common practice in computer science and mathemat- 
ics, it is well understood, and it is admissible when reasoning about objects whose 
types are inductively defined. But standard induction principles only exist for 
those types whose constructors satisfy the so called positivity condition |PM93I 
ISH93| . This condition requires that the type that is being defined does not oc- 
cur in a negative position in any of its constructor types. Types that violate this 
condition are not inductive and therefore excluded from inductive reasoning. 

Many concepts however that are prevalent in programming languages, logics, 
and type theory such as for example operational semantics, compilers, transfor- 
mations, logics, and proof systems, have elegant, dependently typed, higher-order 
encodings (see [Pfe99J for an overview) but violate this positivity condition. 
These encodings are therefore not inductive in the standard sense, which ham- 
pers their use in programming and renders them inappropriate for modeling in 
automated proof assistants based on standard induction principles, such as, for 
example, Coq [DFH+93] or Isabelle/HOL | Pau94| . 

In previous years, this problem has been actively worked on, and much 
progress has been made p3PS97IHof99IGP99IHMS01] with a variety of ideas in- 
spired from modal logic, category theory, FM set theory, and the 7r-calculus. In 
this paper we propose a type theoretic solution to this problem. Specifically, we 
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define an induction principle for any higher-order encoding in the logical frame- 
work LF. Our technique is based on the observation that standard induction 
principles leverage off on the existence of canonical (/3-normal 77 -long) forms. For 
example, in totally freely generated term algebras, canonical forms of first-order 
encodings are guaranteed to exist if only closed objects are being considered. 

Canonical forms also exists in the higher-order setting and they are induc- 
tively defined. This makes them great candidates for inductive reasoning, how- 
ever they have one serious problem. Canonical forms are in general open, i.e. 
they may contain free parameters, which is common to all higher-order encod- 
ings. If we include these parameters in the inductive reasoning process we obtain 
the sound induction principle described in this paper that is based on the idea of 
distinguishing cases of canonical forms. It is expressive enough to reason about 
properties of logics, operational semantics, and abstract machines. The under- 
lying assumption is called the regular world assumption [sTrnT] which allows 
quantifiers to range over open objects whose free variables are declared in a reg- 
ularly formed (and hence subject to reasoning) context. Those regular contexts 
are characterized by so called worlds whose structure may be freely chosen, but 
must be fixed ahead of time |SM] . 

The main contribution of this paper is an induction principle for higher-order 
encodings that extends first-order intuitionistic logic. Its quantifiers range over 
objects which live in the dependent type theory LF [HHP93] for which canonical 
forms are known to exist. A prototype theorem prover for this logic has been 
implemented in the Twelf system |PS99j . 

This paper is organized as follows. In Section |2]we revisit standard induction 
principles for first-order encodings and give in Section [3] a brief overview over 
higher-order encodings. In Section |4] we then motivate and define our induction 
principle. In Section[5]we argue for the soundness of the design before we discuss 
related work in Section[ 6 l We comment on the implementation and assess results 
and future work in Section |7] 

2 Standard Induction Principles 

One of the most intuitive forms of an induction principle is the one for natu- 
ral numbers. But first, how shall we represent natural numbers? In this paper 
we represent all data structures uniformly in a logical framework. The logical 
framework of choice is LF |HHP93J . but for now, the reader is invited to think of 
it as the simply typed A-calculus. The representation of natural numbers leads 
to the following signature S of constant declarations: 

E = nat : type, 
z : nat, 
s : nat — >■ nat. 

The type constructor denotes the function space of the logical framework. 

Standard induction principles, which are commonly used in proof assistants 
and automated theorem proving systems, require that the respective datatypes 
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W,x-. AhsV{x) 

-Tl — -VP 



'J'hs'ix-. A.V{x) 



'I'^te^x-. A.V{x) '^hEV{M) 

^ hs M fr A •f' IPs V{M) 'Phs^x: A.V{x) <I',x:A,ycG V{x) Ps V 



■VE 



^hs3x-. A.V{x) 



■31 



'I'hs V 



■3E" 



Fig. 1. Intuitionistic first-order logic XL. 



are inductive. They satisfy the “positivity condition” |PMhSj which requires that 
the type of each constructor contains only positive occurrences of the type that 
is defined. Because z and s satisfy this condition, nat is inductive and a standard 
induction principle exists. This principle can be safely added to a logic, such 
as, for example, first-order intuitionistic logic XL whose first-order fragment is 
depicted in Figure [I] 

Formulas: P ::= T | Vx : A.V \ 3x : A.V 
Context: W ::= • | !F, x : ^ | <F, x S P 

We write Pi; V for the logical entailment relation, where we use the symbol P 
in order to distinguish it cleanly from the symbol P used by the logical framework. 

makes the list of term parameters x : A (introduced by VI and 3E) and logical 
assumptions x G V (introduced by 3E) explicit. Objects that are substituted for 
parameters must be valid in the logical framework, which is indicated by the left 
premiss of VE and 31. We write for the result of mapping a meta level context 
down to the logical framework level (by removing all declarations of the form 
xGV). The induction principle for natural numbers is standard 

'Xhs'P{z) !F, n' : nat,x € P(n') Pi; P(s n') 

~ ;; ind_nat" 

iF, n : nat Pj; V{n) 

'P{n) or iF(n) indicate that n can occur freely in V or respectively. ind_nat, 
VI, and 3E discharge assumptions that are listed with the rule name. 

The logical framework LF [HHP93] extends the simply typed A-calculus by 
dependent types. We write X \~s M : A for the LF typing judgment where T 
is the standard LF context, M is an object and A its type. Every object in LF 
has a canonical (/3-normal r/-long) form for which we write X Pu M jj- A. LF’s 
formulation is standard and we take /3r/-conversion as the notion of definitional 
equality |HHP93jCoq91 |. An induction principle for natural numbers in the LF 
setting is slightly more complicated then the one above, because dependencies 
among the declarations in X must be respected. 

Pi; V{z) 

Xi,n' : nat,x S V{n'),X 2 {s n') Pi; V{s n') 



Xi,n : nat,!F 2 (n) Pi; V{n) 



ind_nat" 



( 1 ) 
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ND ND ND 

A^GiV- G2 AV- Gi D G2 Zi h Gi 

ND ND ^ ND ^ 

A, G h G A h Gi D G2 A h G2 

Fig. 2. Natural deduction calculus 



3 Higher-Order Encodings 

Our approach to induction principles scales to arbitrary higher-order represen- 
tations. In fact it scales to any deductive system that can be represented in LF. 
Our running example is the natural deduction calculus |Gen85J . which is de- 
picted in Figured The judgment is hypothetical, and its encoding uses binding 
constructs to represent the hypotheses from A. 

Hypotheses: A ::= • | A,G (2) 

Although we restrict this presentation to the implicational fragment of the nat- 
ural deduction calculus, all technology developed in this paper scales to full 
first-order logic. Formulas Gi D G 2 are represented in LF as '"Gi"' D '~G 2 ~' 
where denotes the standard representation function. We write l-j for its in- 
verse whose existence we can assume. Consult |HHP93J for an in depth coverage 
of this example. 

Example 1 (Natural Deduction Calculus). 

E = o : type, 

A : o — ^ (o — o), 
nd : o — type, 

impi : (nd Gi — >■ nd G2) — >■ nd (Gi A G2), 
impE : nd (Gi A G2) ^ nd Gi — ?► nd G2. 

Following standard practice [Pfe91J . we omit in this presentation all implicit 
il-abstractions from types. 

When working with complex encodings such as the one of a proof calculus, the 
first question that should come to mind is if the representation is adequate, i.e. 
if natural deduction derivations are in one to one correspondence with canonical 
LF objects of appropriate type. Adequacy is proven by induction. In the case 
of natural deductions however, special care must be taken in formulating the 
induction hypothesis of the adequacy theorem. Hypothetical judgments are en- 
coded as higher-order functions and consequently already the formulation of the 
theorem must establish the connection between free variables (or parameters) in 
an LF encoding and valid hypotheses in the natural deduction calculus. 

Therefore adequacy is a property of open objects, and not just of closed 
objects as in the case of natural numbers. Here is a first attempt to formulate 
the adequacy property: For any canonical LF object T hs M j)- nd '~G~' there 
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ND ND 

exists a unique derivation T> of judgment A G (written as 2? :: Z\ h G), 
such that M = '"2?”' and F = ^ A~' — and vice versa. 

Also for hypothetical judgments, which are represented as open objects, 
must be a bijection. Clearly, A can be mapped directly to F, but the reverse does 
not hold in general. Not every F corresponds to a Z\ as 2^ = U\ : . . . ,Un ■ 

'~Gn~',A : o shows. Consequently, in the interest of adequacy, we must restrict 
the set of F’s to those that are structurally constructed the same way A is. 

In fact, without loss of generality, we can always assume that Z\ is a regularly 
formed list, and we propose a formal way of characterizing valid contexts (which 
we call regular for this reason). We write F G F{'F) if F is an instance of world 
d>, the “type of all valid contexts”. With we refer to the set of all regular 
contexts generated by world F. 

Worlds: <P ■.:= L : some Fi block I 2 \ + <P \ <P* 

In our example, F G £{{L : some G : o block u : nd G)*). C{F) is defined in Fig- 
ure El Intuitively, worlds are regular expressions with “L : some F\ block 22 ” 
as terminals, where -I- describes alternatives, and * repetition. The terminal 
“L : some F\ block 22 ” satisfies the invariant that A , 22 form a valid con- 
text. L is used to label blocks of declarations of a context,which allows us to 
distinguish different blocks from each other. In context 2 q, the set of regular 
contexts C{L : some A block A) consists of all a- variants of the block A where 
its free variables declared in A have been instantiated by objects (summarized 
as substitution cr) valid in A- We write [cr]A for a context under a substitution. 
That cr is valid is enforced by the first premiss Fq \- a : Fi of the “block” -rule 
whose definition we omit. The second premiss of the same rule is the standard 
a-conversion congruence A 1“ A =a A which permits tacit variable renaming 
on regular contexts. Consequently, without loss of generality all contexts in £{F) 
are valid. 

Worlds are the “types of valid contexts” which can also be interpreted as 
grammars that generate A, written as Z\ S As example, compare the 

world F — {L : some G : o block u : nd G)* with ((2|). 

Theorem 1 (Adequacy for worlds). Let F be a world, and an adequate 
representation function for all types that occur in F. extends to a bijection 
between LF contexts F that satisfy ■ \- F G £{F) and A that satisfy A G C{\-F_i). 

Theorem 2 (Adequacy of nd). Let F = {L : some G : o block u : nd G)* and 
■ L F G C{F). We have 2” h il2 j)" nd '~G~' iff M — and T> :: l2”j h G. 

Proof. By structural induction on the derivation of 2” h M f|' nd '~G~' in one 
direction and T> in the other. 

This answers the first question. Natural deduction derivations can be ade- 
quately represented in LF. But are these representations inductive in the sense 
that they possess standard induction principles? Following standard definitions, 
they are not, because impl’s type refers to nd in a negative position. However, 
every term in LF has a canonical form in a given world, and canonical forms are 
inductively defined, and therefore nd is still inductive as we elaborate on next. 
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To h a : A To h r =„ [a]T2 

block 

Jo h T G C{L : some A block A) 

A h A e /:(<?) A, A h A G r(A) 

empty unfold 

A h • € £(<?*) A h A, A G £(A) 

A h r G £(A) A h r G £(A) 

left right 

AhrG£(A-bA) AhrG£(A-bA) 

Fig. 3. Set of regular contexts generated by world <I>. 



4 Higher-Order Induction Principles 

Proofs by induction are common in computer science. However, not every type 
that can be defined inductively possesses an appropriate induction principle. 
Natural numbers do, lists do, trees do, essentially any data type that is de- 
fined satisfying the positivity condition |PM93] does. Higher-order representa- 
tions however do not. 

Recall that higher-order abstract syntax is characterized by using meta- 
level variables to encode object-level variables, and meta-level binders to encode 
object-level binders. D I introduces a new assumption, for example, which is 
captured by the functional argument to impl. Therefore, by design, higher-order 
representations may not satisfy the positivity condition. Consequently, induction 
on higher-order representations is fundamentally problematic. 

This observation could lead one to believe that induction principles for 
higher-order encodings do not exist. Against this intuition speaks the observa- 
tion that every LF object — functional or non-functional — has an inductively 
defined canonical (/3-normal Ty-long) form. How to exploit this property to de- 
rive an induction principle for higher-order encodings is the main contribution 
of this paper. We demonstrate our solution by an induction principle for natural 
deduction derivations which is used in the proof of the following property: Every 
natural deduction derivation can be translated into a sequent derivation. 

The sequent calculus [Cen35j defining judgment A G is depicted in 
Figure E]is defined for the same fragment as the natural deduction calculus from 
Figure E] For this example it is not so important what the sequent calculus 
actually is, but it is important how it is represented in LF |Pfe95| . 

Example 2 (Sequent deductions) . Extends E from Example[Tl 

E = . . . , hyp : o — f type, 
cone : o — f type, 
init : hyp G — f cone G, 

impR: (hyp G\ — f cone G 2 ) — f cone (Gi D G2), 

impL : cone G\ — f (hyp G2 — f cone G3) (hyp (Gi D G2) — f cone G3), 
cut : cone Gi — f (hyp Gi — f cone G2) ^ cone G2. 
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r,G=^G 



init 



r=^Gi r, Gi 



G2 



r, Gi D G2 



r = 

Gi 



■ cut 



G2 

r,Gi D G 2 ,G 2 



r, Gi D G 2 Ga 



r, Gi G2 

r Gi D G2 

>Gs 

— dl 



OR 



Fig. 4. Sequent calculus 



Sequents A G are encoded by two separate type families. Hypotheses in 
A are encoded using hyp as LF contexts and G as an object of type cone '~G~'. 
The representation of the inference rules is straightforward, well understood, and 
adequacy can be established in the world <l> — {L : some G : o block h : hyp G)* . 

We begin now with the presentation of the central example of this paper: 
What is a formal proof of the following statement? 

VG : o.VG : nd G.3Q : cone G.T ( 3 ) 

Informally, the proof of this theorem proceeds by structural induction on \_D_i : : 
end Gj — it is a hypothetical proof because appeals of the induction hypothesis 
to the premiss of impi introduces a new nd-hypothesis. But there is a problem 
here! The adequacy result for natural deductions and for sequent derivations 
differ in what kind of declarations are permitted. For one it is u : nd '~G~' 
and for the other h : hyp '~G~'. The solution involves merging both worlds into 
one, namely (p — {L ■. some G : o block u : nd G, h : hyp G)*, and reproving the 
adequacy results for natural deduction and sequent encodings. Those proofs rely 
on the following two strengthen properties. 

Lemma 1 (Strengthening natural deductions). If h does not occur free in 
r' and r, h : hyp Gi , T' hi; M f|- nd G2 then T, T' hi; M f|- nd G2. 

Lemma 2 (Strengthening sequent derivations). If u does not occur free 
in r' and F,u : nd Gi,F' hi; M j) cone G2 then F, F' \~s M j) cone G2. 

Theorem 3 (Adequacy for nd and hyp/conc). Let • h T S F{<I>). 

L T h M tr nd ^G“' iff M = and V :: lTj h G. 

2. F \- M cone '~G~' iff M = '~T>^ and T> :: \_F _i G. 

Proof. By structural induction on the derivation of T h M j) nd '~G~', F h M j) 
cone '~G~' in one direction and T> in the other, respectively, using Lemma[T]and 
Lemma [2l 

As this example shows, worlds are as important for proving the adequacy 
of encodings as the signatures themselves. With this in mind, let us return to 
the definition of intuitionistic first-order logic presented in Figure [T] and index 
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the judgment hy instead of just S. Endowing the logic with worlds has 
consequences on the definition of the context S' which we address below. 

Contexts ^ capture all assumptions that are valid in a respective state of 
a proof. X G V, for example, assumes that V holds. Without worlds x : A 
stands for the assumption that there exists a closed LF object of type A. But 
in the presence of worlds this setting may be generalized; we let a; : A stand for 
the assumption that there exists an open object that is valid in some context 
r G C{d>). But how can we express assumptions about the form of E, such as 
that r contains certain parameters? 

The answer to this question has already been proposed in |Sch00ISch01| . A 
new concept of block variables is required, that ranges over valid parameter 
blocks in accordance with the world <P (written as ■. d>). Block variables are 
of the form p \ p^x \ A. Each block variable follows the structure l 2 

in “L : some A block A” and is labeled with the appropriate label L. They 
capture assumptions about the context valid in a respective state of a proof. 

'I' ■ \ <I',x \ A\<I', [p]^ I Ax G P 

Still, •f' stands for the LF-context obtained from 'I' by removing all declarations 
of the form x G A, and flattening out the individual declarations in \p]^ ■ 

Example 3. Let <P = {L : some G : o block u:ndG,h: hyp G)* then E = G : 
o, [u:ndG,h: hyp G]^ is a valid context. 

What will happen if the induction hypothesis dU is applied to the premiss 
of the impi rule D : nd — >■ nd '~G2~'? Informally one would assume G\ 

and then apply the induction hypothesis to lDu which guarantees that there 
exists a sequent derivation of G2. Formally, one first assumes u : nd '~Gi~' and 
h : hyp '~Gi~' (to be conform with followed by an appeal to the induction 
hypothesis to '~G2~' and {D u) : nd '~G2~'. By Lemma |2] and a process called 
abstraction defined below we conclude 

E : hyp Gi — >■ cone G2.T. (4) 

For the general case, dependency relations pose an answer on how to strengthen 

in a logical framework |Virlffl| . We say that one type is dependent on another 
if objects of the former are build in terms of objects of the latter. For example, 
‘cone G2’ is dependent on ‘hyp Gi’ by rule init, but not ‘nd Gi’ by Lemma El 
Formally we write ‘hyp Gi ^ cone G2’, but ‘nd Gi yi. cone G2’. 

The process of incorporating assumptions of the form x \ A vci & type or 
formula is called abstraction. Intuitively, it turns derivations of hypothetical 
judgments into functions while applying the a priori proven strengthening results 
as stringently as possible. In the example above, we write ‘^(m : nd Gi,h : 
hyp Gi).3a; : cone G2.T’ for 3x : hyp Gi — cone G2.T for the abstracted 
formula, and ‘iy{u : nd Gi,h : hyp Gi).conc G2’ for the abstracted LF type. 
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Definition 1 (Abstraction). 

1 . Type-level abstraction: 



4I2 

vp. A2 = ■{ vp' ■ A2 



ifP=- 

if p = X : Ai, p' and Ai yi. A2 
IIx : Ai- {vp' ■ A2) if p = X : Ai, p' and Ai -< A2 



2 . Object-level abstraction: Let M be well-typed of type A2 

vp. M = 

3 . Object-level application: Let M be well-typed of type vp. A2 

M p = 



M ifp = - 

vp' . M if p = X : Ai, p' and Ai 7^ A2 

Xx : Ai. {vp' . M) if p = X : Ai, p' and A\ ^ A2 



M if P = ■ 

M p' if p = X : Ai, p' and Ai 7^ Ay 
{M x) p' if p = X : Ai, p' and Ai -< Ay 



4. Meta-level abstraction: Let F be a well-formed formula 

T ifV = T 

vp.V = ( 'ix : {vp. A).vp. V'{x p) if'P = 'ix: A.V'{x) 
3 x : {vp. A).vp.V'{x p) ifV = 3 x : A.V'{x) 



Lemma 3 (Soundness of Abstraction). 

1 . If r, p\- A \ type then F h vp. A : type 

2 . If F, p \- M : A then F h vp. M : vp. A 

3 . If FV- M wp.A then F ^ M p : A 

With all this machinery in place, we can give a specialized induction principle 
for the higher-order type of natural deductions nd. 

Definition 2 (Specialized induction principle for type family ‘nd’). 

This induction principle is designed for the world 

<I> = {L : some G : o block u: nd G,h: hyp G)* 

Let V be the property to be proven. ind_nd is the induction principle for nd. 

Fi,G : o,[u: nd G,h: hyp G]^ ,T'y{G,u) 

V{G, u) 

Fi,Gi : o,Gy : o,D' : nd Gi — >■ nd Gy, 

X G v{u : nd Gi,h : hyp Gi).V{Gy, D' u),T'y{Gi D G2, impi D') 

F{Gi D Ga.impI D') 

Fi,Gi : o,Gy : o,Di : nd (G2 D Gi),L>2 : nd Gy, 

Xi G V{Gy D Gi,Di),X 2 G V{Gy,Dy),Fy{Gi,\mpE Di Dy) 
iP(Gi,impEDi Dy) 

ind_nd 

Fi,G:o,D: nd G,Fy{G,D) V{G,D) 
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The first premiss enforces that V holds for an arbitrary but fixed parameter 
block [u : nd G, h : hyp G]^ G F. The second premiss guarantees that V holds for 
any derivation ending in (impi D'), and the third that V holds for any derivation 
ending in (impE Di £> 2 )- 

The soundness of this induction principle follows from considerations pre- 
sented in Section El With this induction principle formula {3D is directly, ele- 
gantly, and formally provable. 

Proof. 

Vi G : o, [u : nd G, h : hyp G]^ h init h : cone G in LF 

P2 G : o, [u : r\d G, h : hyp G]^ 3 Q : cone G.T by 31 on Pi and Tl 

Let ^'2 = Gi : o, G2 : o, D' : nd Gi — ^ nd G2, X G 3 Qi : hyp Gi — >■ cone G2.T. 

Qi ■.\^2 Pe-,^ 3 Qi : hyp Gi — >■ cone G2.T by assumption 

Q2 :: ^2, Q' : hyp Gi — >■ cone G2 b impR Q' : cone (Gi D G2) in LF 

Qs :: ^2, Q' : hyp Gi — >■ cone G2 Ibx;# 3 Q : cone (Gi D G2).T by 31 on Q 2 and Tl 



S4 : 


: 'P 2 Pe-,^ 3Q : cone (Gi D G 2 ).T 


by 


3E 


on Qi and Q 3 


Let 


IT'S = Gi : 0, G 2 :o,Di: nd (Gi D G 2 ), D 2 : nd G 2 , 










xi : 3Qi : cone (G 2 D Gi).T,X 2 : 3 Q 2 : 


cone G 2 .T. 






and 


iT's = Oi : cone (G 2 D Gi), Q 2 : cone G 2 








7^l : 


: £3 b 3Qi : cone (G 2 D Gi).T 






by assumption 


7^2 : 


: 'P 3 , Qi ■ cone (G 2 3 Gi) b 3 Q 2 : cone G 2 .T 






by assumption 


773 : 


: h : hyp(G 2 D Gi) b impL Q 2 init h : cone Gi 






in LF 


77.4 : 


: b impL Q 2 init : hyp(G 2 D Gi) — >■ cone Gi 




in LF using 773 


77s : 


: b cut (3i(impL Q 2 init) : cone Gi 




in LF using 77i 


77e : 


: ^3 l~E-,<!> 3Q : cone Gi.T 


by 31 


on 77s and Tl 


77t : 


: 'P 3 , Qi ’■ cone (G 2 D Gi) Pe-.'P 3Q : cone Gi.T 


by 


3E 


on 772 and 77e 


TZs ■ 


: £3 l~E-,<!> 3Q : cone Gi.T 


by 


3E 


on 77i and 77? 


Vi ■■ 


: G : 0, 73 : nd G Ibn;# 3Q : cone G.T 


by ind_nd 


on 


7^2, Q 4 and 77s 


V2 : 


: G : 0 hE-,<!> V73 : nd G.3Q : cone G.T 






by VI on 73i 


£3 : 


: ■ lbs;*, VG : O.V73 : nd G.3Q : cone G.T 






by VI on P2 



We begin now with the presentation of the general form of the induction 
principle that works for all higher-order encodings in LF. This principle ends 
in a conclusion of the form F V. The challenge in designing this principle 
is (a) we need to pick one or more declarations in F as case subjects (b) we 
cannot rely on patterns to be linear (in the sense of linear pattern as in pattern- 
matching), and (c) case subjects might be instantiated by parameters from an 
LF context. All three points are illustrated by the principle ind_nd: It shows that 
(a) we distinguish cases over G, and D simultaneously, (b) G occurs by itself and 
as an index to D, and (c) D might be instantiated by an u : nd G G £ G ^(^)- 
Our solution employs substitutions as patterns, i.e. patterns in the sense of 
pattern matching. A pattern is a pair of a context which gathers all free variables 
that occur in the pattern, and a substitution a that is defined as follows: 

cr ::= • | cr. M/a; | cr, p' j p \ a, x'/x 
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(j W ^ \~z; M : [o~]A 

sub-empty — — - — -=^^- sub-lf 

\ ^ a^M/x :W,x : A 

hs-,<p cr : <1' [p']^ Wh p [a]p 

sub-block 

rj,p Ip : [p]^ 

<P' hs.t. o : ^ !i/'(x') = \a]V 

sub-meta 

tf'' hs-,<p CT, x'/x ■,\P,xG'P 

Fig. 5. Well-defined substitutions 



The domain of cr is always 'F. Example ind_nd used three patterns {Fp, ai): 

Fi = G : o,[u : nd G, h : hyp G]^ 

CTi = G/G,u/ D 

F2 = Gi : o, G2 : o,D' : nd Gi — >■ nd G2, xi S 3 x : hyp G\ cone G2.T 
CT2 = Gi D G2/G, impi D'/D 

F3 = Gi : o, G2 : o, D\ : nd (G2 D Gi), D2 ■ nd G2, 

Xi G 3 a: : cone (G2 D Gi).T,X2 G 3 a: : cone G2.T 
0 ’s = Gi/G, impE Di D2/D 

We write Fi hs-^,p at : F for well-defined substitutions which are defined in Fig- 
ure IS] Not every pair {F'-, a) however is a valid pattern. Intuitively, all free 
variables in cr should be instantiated when matching against an instantiation 
of F'. This requirement excludes F'’s that are too large containing unnecessary 
declarations. It also excludes patterns that contain variables that may not be 
instantiated by matching. These are variables that occur in flex/flex positions 
during matching, i.e. variables that do not occur in strict positions in the pattern. 
Therefore, we restrict arbitrary context/substitutions pairs to patterns. Third 
when new hypotheses x G P are introduced, we must carefully ensure that they 
are “smaller” than the property to be proven. 

Definition 3 (Patterns). (F'-, a) is a pattern for (F-, V) iff F' a : F and 
there exists a well-founded ordering on substitutions -<, s.t. F' is safe. F' is an 
safe eontext iff 

1 . F' = •. 

2 . F' = F",x : A and F" is safe and x occurs in a strict position in cr. 

3 . F' = F" ^ \pY" and F" is safe and uGp occurs in a strict position in a. 

4 - F' = F" , \pY" and F" is safe and p occurs in a strict position in cr. 

5 . F' = F" , X G P' and F" is safe and x occurs in a strict position in a. 

6 . F' = F” € V' and F" is safe and V' = vp\. . . . vpn- [ff\P and a' < a for 

some block variables p ^' , . . . , G <l> 
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Properties 1. through 5. guarantee that each variable declared in will be 
instantiated once a is matched against an instantation of 'F. 6. enforces the 
well-foundedness of the principle. 

Finally, we can address the question when an induction principle covers all 
cases. Because LF possesses canonical forms, any object of given type has only 
finitely many head constructors (buried under finitely many abstractions). Let 
^ be a world, F G and F 'hz:-<p V the conclusion of the induction principle. 

Furthermore, let {(’f'l; cti) . . . (!F„; cr„)} a set of patterns. The induction principle 
is valid only if for any possible instantiation of declarations in F one pattern 
exists that matches it. 

Definition 4 (Cover). A set of patterns {(iFi; cti) . . . (iF„; (t„)} for {F;P) is a 
cover for a world <P if for any F G F-iF) and ij with satisfies F \- rj :F there 
exists 1 < i < n and an rj' for which F h rj' : F', s.t. 

r] = aiOTj’ 

Definition 5 (Induction principle for higher-order LF encodings). Let 

{{Fi\ (Ti) . . . [Fn] cTn)} a sct of patterns for {F\ V) that form a cover for the world 
F. Then we define the induction principle for higher-order encodings as follows. 

Fl hs-'p Vla-l] ... Fnhs-^>F[o'n] 

ind 

F F 

In the interest of space, we omit the two syntactical criteria for termination and 
coverage |SchOO] . 

5 Meta-theory 

The fragment of XC that is defined in Figure [T] and used throughout this paper is 
closely connected to the A-calculus through a realizability interpretation similar 
to the Curry-Howard isomorphism. Every rule in XC can be endowed with a 
proof term, that corresponds to a total function. Formulas correspond to types. 
The calculus of recursive functions for higher-order encodings |Sch01| forms the 
type-theoretic foundation of this realizer calculus. In this section we show, that 

inri 

XL endowed with rule ind (written as XC'^°) is a sound extension of XC. 

The induction principle ind is compatible with this view of provability, and 
it extends the realizability interpretation from above in a natural and straight- 
forward way. Concretely, it allows realizers to be defined by case analysis and 

inrI 

recursion. In addition, ^°’s derivations still correspond to proof terms, be- 
cause ind satisfies Definition which means that the functions corresponding 
to derivations are guaranteed to cover all cases at all times, and since ind also 
satisfies Condition 6. of Definition recursion is always terminating. 

We show that XC}'^^ is sound by extending the realizability interpretation 
of XC. First we show the admissibility of the ind rule in Lemma H] which we 
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i d 

generalize to a proof that any derivation in corresponds to a realizer in 

Theorem |T] 

Lemma 4 (Admissibility of Let L' lhs-<p V he a derivation in XC}'^^ 

with ind being the last applied rule whose premisses T>i . . . T>n have eorresponding 
realizers. Let X S C{L>). Then, for all substitutions (environments) rj, T 
r] : T, there exists a total function f (of type V) that realizes T>. 

Proof. Let V be the following derivation in XX)'^^ . 

Vi Vr, 

'Xlhs-^V[ai] ... 'Pn'l^S-,<^'P[(Jn\ 

ind 

'X V 

For any instantiation of there exists a pattern (Pi, at) that matches it, by Def- 
inition H) This matching operation instantiates all declarations in P (by Proper- 
ties 1. to 5. in Definition El that occur strictly in ai by LF objects (for x ■. A), 
parameters from the LF contexts (for the and values computed by the 

realizers (for x G V). Variable x declared in P that do not occur strictly have 
to be computed recursively an operation that terminates by Property 6. in Def- 
inition |3] Once fully applied, the realizer that corresponds to T>i computes the 
desired result. 



Theorem 4 (Soundness of XX}^^). Let P V be a derivation in XX^^^ 
and r be a valid world. Then, for all substitutions (environments) rj, T 
r] : P, there exists a total function f of type V that realizes T>. 

Proof. By induction on T> using LemmaEland the Curry-Howard isomorphism. 



6 Related Work 

In earlier work we have used modal logic to add induction and primitive recursion 
principles to the simply typed A-calculus while preserving higher-order encod- 
ings [DPS97lFfof99j . The calculus differs from this work in that it defines only one 
language suitable for representation and reasoning simultaneously. In its origi- 
nal formulation, the calculus was lacking dependent types, parts of which were 
added in [Lel98] . Others have followed a categorical approach. Hofmann |Hof99] . 
for example, suggests a number of different induction and reasoning principles 
for higher-order abstract syntax and he proved all adequate using a category- 
theoretic method. Earlier, |DH94j has proposed techniques to reformulate nat- 
ural higher-order as first-order encodings using auxiliary types reducing hereby 
the problem of induction for higher-order to standard induction. With this ap- 
proach, however, the user remains responsible for proving substitution lemmas. 



A Type-Theoretic Approach to Induction with Higher-Order Encodings 279 



One advantage of using a logical framework such as LF is that the choice of 
variable names can be left to the logical framework. The same goal is pursued 
by |GM96IGP99| by exploiting permutation properties among variable names. 
Their work has been implemented in FreshML |PG00| and is therefore related 
to the realizer calculus underlying this work |Sch01| . FreshML supports higher- 
order abstract syntax as well but it does not support dependent types. 

Honsell et al. [IHMSOIJ use higher-order representation techniques to formal- 
ize concepts from process algebras. They have combined higher-order encodings 
with coinduction principles and implemented their design in Coq [DFH~*~9^ . 

Reasoning by induction is also supported by the calculus of partial induc- 
tive definitions |Hal87| and definitional refiection [SH93| . however, both designs 
require induction subjects to be closed. 



7 Conclusion 

Higher-order encodings supported by logical frameworks such as LF bring many 
advantages in terms of elegance, efficiency, and maintenance, especially when 
representing complex systems, such as derivation systems, logics, type systems, 
operational semantics and others. They bring, however, at least one disadvan- 
tage: it is not easy to reason about them. In this paper we have developed a 
general induction principle for higher-order encodings and added it to first-order 
intuitionistic logic. The soundness of the design follows from a type theoretic 
argument by restricting LF contexts to be regularly formed. 

We have implemented a prototype version of a theorem prover that uses 
worlds and the ind-rule in Twelf |PS99j . Twelf has successfully proven, for ex- 
ample, the equivalence of Hilbert’s calculus, natural deduction calculus, and 
the sequent calculus. Other experiments include the proof of the Church- Rosser 
theorem for the untyped and the simply-typed A-calculus, and cut-elimination 
results for various propositional and first-order sequent calculi. 

Our proposal provides one possible solution for the tension between reasoning 
by induction and higher-order encodings. It is applicable to the untyped, simply 
typed, and dependently typed setting. In addition, it does not interfere with 
any properties of the underlying logical framework, such as properties that are 
associated with contexts or variables. 
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Abstract. Analysis of (partial) groundness is an important application 
of abstract interpretation. There are several proposals for improving the 
precision of such an analysis by exploiting type information, including 
our own work [T^, where we had shown how the information present 
in the type declarations of a program can be used to characterise the 
degree of instantiation of a term in a precise but hnite way. This ap- 
proach worked for polymorphically typed logic programs. Here, we recast 
this approach following |5I11| . To formalise which properties of terms 
we want to characterise, we use labelling functions, which are functions 
that extract subterms from a term along certain paths. An abstract term 
collects the results of all labelling functions of a term. For the analysis, 
programs are executed on abstract terms instead of the concrete ones, 
and usual unification is replaced by unification modulo an equality the- 
ory which includes the well-known Ad-theory. Thus we generalise 0H] 
w.r.t. the type systems considered and relate those two works. 



1 Introduction 

Analysing logic programs for (partial) groundness is important e.g. in compiler 
optimisations. Analysis is usually based on abstract interpretation j^. 

It is known that abstract interpretation can be used to derive type infor- 
mation, and conversely, that type information can improve the precision of an 
analysis. E.g., being able to say that [1,X] is a list skeleton with possibly unin- 
stantiated elements is more precise than only being able to distinguish a ground 
from a non-ground term. Underlying most works is a descriptive view of types: 
types are not part of the programming language, but introduced to analyse an 
arbitrary, say Prolog, program. In such works, there is no sharp line between type 
and mode (groundness, instantiation) analysis: saying that a term is a list is at 
the same time a statement about its type and about its degree of instantiation. 

We adopt a prescriptive view of types. We analyse programs in typed lan- 
guages, e.g. Godel jS], HAL [7j, Mercury m- Therefore the types need not be 
analysed since they are given by declarations or inference. Also, unlike [5], we 
need not consider “ill- typed” terms such as [1|2], since these can never occur. 

This paper is a synthesis of two other works taking the prescriptive view m 
Eg and [g. The generalisation w.r. t. 0n] concerns polymorphism, which is 
disregarded in m and considered in |g only in a restricted form. We recast m 
using some aspects of their formalisms. In particular, the notions of grammar 
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and variables labelling non-terminals m should improve the understanding of 
what properties of terms our analysis captures, whereas ACI-unification may 
provide the basis for an implementation using well-studied algorithms. 

In the intuitive explanations that follow, we refer to a set of possible charac- 
terisations of the instantiation of a term as abstract domain. 

The standard example to explain the benefits of a typed analysis is the 
APPEND program. E.g., given the query append([A], [B], C), a typed analysis infers 
that any answer substitution binds C to a list. However, we need a more complex 
example to explain the advance of this paper over previous works. 

A table contains a collection of nodes, each of which has a key of type string, 
and a value of arbitrary type. For any type r, table(r) is the type of tables 
whose values have type r. Tables can be implemented as AVL-tree |S]: a non- 
leaf node has a key argument, a value argument, arguments for the left and 
right subtrees, and an argument representing balancing information. For a term 
of type table(r), our abstract domain characterises the instantiation of all key 
arguments, all value arguments, and all the “balancing” arguments. 

The characterisation of the instantiation of the value arguments depends 
on r. Hence, our analysis supports parametric polymorphism. In devising an 
analysis for polymorphically typed programs, there are two desirable properties: 
the construction of an abstract domain for table(r) should be truly parametric 
in r, and the abstract domains should be finite for a given program and query. 

Being truly parametric means, e.g., that the abstract domain for table(str) 
relates to str exactly as the abstract domain for table(int) relates to int0. 

In CD, types have been formalised as regular tree grammars. Each type is 
identified with a non-terminal, and it is assumed that there are only finitely 
many types, which is crucial for the termination of an analysis. In the presence 
of polymorphism, finiteness is problematic, since there are infinitely many types, 
e.g. list(int), list(list(int)), .... Nevertheless, under certain conditions, it 
can be ensured that for a given program, there are only finitely many types. This 
is in contrast to imposing an ad-hoc bound on the depth of types [S] . 

This paper is organised as follows. The next section provides some prelimi- 
naries. In Sec. El following [TT] . we show how the type of a term allows to char- 
acterise its degree of instantiation. In Sec. HI following [5], we define abstract 
terms based on the ACIl equality theory. In Sec. E] we formalise how abstract 
terms capture the degree of instantiation of concrete terms, thereby linking CD 
and EJ. Section El defines an abstraction of programs, and relates the semantics 
of a concrete program and its abstraction. Section 0 makes some comments on 
a possible future implementation, and Sec. [S] discusses our results. 

A long version of this paper containing all proofs can be found in m- 

2 Preliminaries 

We assume familiarity with the basic notions of logic programming [1^ . We use 
a type system for logic programs with parametric polymorphism [TITO . 



^ We abbreviate string by str and integer by int. 
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Let /C be a finite set of (type) constructors, each c€ K with an arity n > 0 
associated (by writing c/n), and U he a set of parameters. The set of types is 
the term structure T{K.,U). A type substitution is an idempotent mapping 
from parameters to types which is the identity almost everywhere. We define 
the order ^ on types as the order induced by some (e.g. lexicographical) order 
on constructor and parameter symbols, where parameter symbols come before 
constructor symbols. The set of parameters in a syntactic object o is denoted by 
pars{o). Parameters are denoted by u,v, in concrete examples by U, V. A tuple 
of distinct parameters ordered w.r.t. ^ is denoted by u, v. A flat type is a type 
of the form c(u), where c G /C. 

Let V be a denumerable set of variables. The set of variables in a syntac- 
tic object o is denoted by vars{o). Variables are denoted by x,y, in concrete 
examples by X, Y. A tuple of distinct variables is denoted by x, y. 

A variable typing is a mapping from a finite subset of V to T(/C,ZY), written 
as {a;i : Ti, . . . ,a;„ : r„}. 

Let T (resp. V) be a finite set of function (resp. predicate) symbols, each 
with an arity and a declared type associated, such that: for each //n G T , the 
declared type has the form (ri, . . . , r„, r), where (ti, . . . , t„, t) G T(/C,W)" 
and pars{T\, . . . ,Tn) C pars{T)] for each p/n G V, the declared type has the 
form (ti, . . . , T„), where (ri, . . . , r„) G T{JC,U)^. We indicate the declared types 
by writing and 

Throughout, we assume 1C, T , and V arbitrary but fixed. Terms are defined 
by the following inference rules, which allow to infer judgements of the form 
t : T, read “t is of type r”. 

{a;:T, ...}l-a;:r THi.nQ — ^ substitution) 

There are similar rules for defining atoms, clauses etc. EH- All objects are 
defined relative to a variable typing F. Any objects we will encounter while 
analysing a typed program will be correctly typed according to those rules m- 

The set of atoms is denoted by B, and elements of 2® are called interpre- 
tations. We denote by {C\, . . . ,Cn) "Co I that C'i,...,C'„ are elements of I 
renamed apart from o and from each other. Like [3, our analysis is indepen- 
dent from any particular concrete semantics. Examples will be given using the 
s-semantics, i.e. the semantics based on the non-ground Tp-operator: 

Tp{I) := |C = iL ^ Si, . . . , G P, (Ai, . . . , A„) I, 
e = MGU{{Bi , . . . , S„), (Ai, . . . , A„))}. 

We denote by [PJ^ the least fixpoint of Tp. We denote by ti < ^2 that ti is an 
instance if t 2 - The domain of a substitution 0 is denoted as dom{9). 
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3 The Structure of Terms and Types 

We show how the type of a term allows to characterise its structure. We alternate 
between recalling the formalism of m and adapting it to polymorphism. 



3.1 Regular Types as Presented in (ll) 

Definition 3.1. A regular tree grammar is a tuple {S, W, S, A), where W is 
a finite set of non-terminals, S' G W is a starting non-terminal, Z\ is a set of 
productions of the form X — ?> /(Yi, . . . , Y„) s.t. X,Yi, . . . ,Yn G W and f /n G 
E. A regular tree grammar is deterministic if for any non-terminal X and any 
two productions X — >• /(Yi, . . . , Y„) and X — >• g(Yi, . . . , f /n yf g/m. 

Regular grammars define the class of languages called regular types. 

Example 3.2. The grammar L — ?> nil|cons(£l, L), E — >■ a|b defines the language 
of ground lists of a’s and b’s. 

Using an analogy to tree automata m, we represent derivations of a gram- 
mar 0 as transitions N{f{ti, . . . ,tn)) — t f{Ni{ti),...,Nn{tn)), where N — )> 
/(TVi, . . . , Nn) is a production of Q (n > 0). We say that Q = (S, lY, E, A) ac- 
cepts a term t if S{t) — >■* t. We are also interested in segments of a single path 
in a derivation tree starting from root S and reaching a non-terminal N with a 
subterm t' of t, i.e., in derivations S{t) — >■* s[iV(t')], where means that s 

has N{t') as a subterm. Abusing notation, we write S{t) — >■* N{t') in this case. 

Example 3. 3. Given the grammar in Ex. 13.21 we have 

L(cons(a, nil)) — > cons(if(a), L(nil)) — >■ cons(a, L(nil)) — >■ cons(a,nil). 



We also write L(cons(a, nil)) — E(a) and L(cons(a, nil)) — >■* L(nil). The 
notation can also be applied to non-ground terms, e.g. L(cons(X, Y)) — >•* L(Y). 



It is also convenient to depict a grammar as a type 
graph |TU]. We define a type graph for Q = {S,W,E, A) 
as a directed graph whose nodes are labelled by non- 
terminals, and there is an edge from N to N' iff there is 
a production N — >• /(..., W, ... ) in A. We call the node 
labelled S the starting node. Figure [T] shows the type graph for Ex. 13.21 




3.2 Regular Types and Polymorphism 

Without polymorphism, type declarations can be easily translated into grammar 
rules. /C is a finite set of type constants, so we can identify each type with 
a non-terminal, and each £ .Y is translated into a production r — > 

/(ti, . . . , Tn). So each r corresponds to a grammar with starting non-terminal r. 

We now give a pseudo-definition of a grammar corresponding to a polymor- 
phic type — “pseudo” because the set of non-terminals may be infinite. 
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(a) 



(b) (c) 



LISTS 



NESTS 



TABLES 



Fig. 2. Some type graphs, with starting node highlighted 



Definition 3.4. Consider a typed language given by IC,J- and a type 4 >. The 
grammar corresponding to (f>, denoted G{4>): is the grammar {‘ (f>\ W, J- , A) , 
where W is inductively defined as follows: 

- G W, 

— G T and ‘t0’ G W for some type substitution 0 implies 
‘ri0’, . . . , ‘r„0’ G W, 

and Z\ = {‘r0’ ^ , ‘r„0’) | ‘t0’ G tT}. 

The ‘ ’ indicate that w.r.t the grammar, types are just non-terminal symbols. 
Type graphs are defined as before. Figure |5] shows some type graphs. 

It is also useful to have names and a notation for the relations holding between 
the types in a type graph. 

Definition 3.5. A type cr is a direct subterm type of (p (denoted as if 
there is G T and a type substitution 0 such that r0 = (p and t^0 = a 

for some i G {1, ... ,n}. The transitive, reflexive closure of <i is denoted as <i*. If 
(T <1* p, then cr is a subterm type of p. 

We had defined these relations previously [ig. In [2], subterm types are called 
constituents. 

We now discuss two problems related to the generalisation to polymorphism. 
They have been mentioned previously US] and are illustrated here with examples. 

Example 3.6. Whenever we give a particular typed language, K. is given implic- 
itly as the set of all type constructors occurring in the type subscripts in T . 

One would hope that even if a type language contains an infinite set of types, 
the type graph taking a fixed type as starting node should be finite. However, 
consider T — {f c(c(u))->-c(u)}- The type graph of c(U) is infinite (see Fig. [2] (a)). 

To ensure finiteness, we impose the following condition on /C, T . 

Reflexive Condition: For all c G /C and types cr = c{a),T = c(f), if cr <i* r, 
then cr is a sub “term” (in the syntactic sense) of r. 

This condition is violated by Ex. 13.61 since c(c(U)) <i c(U). With this condition in 
place, Def. 13.41 becomes a real definition rather than a pseudo-definition. 
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The second problem is to make the grammars (or equivalently, type graphs) 
truly parametric. This will be crucial to make the abstract domains truly para- 
metric, as mentioned in the introduction. 

Example 3.7. Consider T = {fu->-k(u)j gint-s.k(str)}- Figure [2l shows the type 
graphs for k(U) and k(str). It would clearly be wrong to say that “k(U) relates 
to U in the same way as k(str) relates to str” . 

To rule out this anomaly, we impose the following condition on IC^T. 

Flat Range Condition: For all G IF, r is a flat type. 

In Mercury (and in ML and Haskell), this condition is enforced by the syntax. 
In the recent work of [^, we also And similar conditions. So from now on, we 
assume that any typed language meets these two conditions. 



3.3 Labelling as Presented in [ll 1 ) 

Labellings can be used to characterise the degree of instantiation of a term taking 
its type into account, i.e., analyse a term on a per-role basis El- 

Definition 3.8. A variable a: in a term t labels a non-terminal iV of a grammar 
G if S{t) — >■* N{x), where S is the starting non-terminal of Q. 

We denote by (((S', N, t) the function which returns the set of variables x such 
that S{t) — >■* N{x) (one could also write ((G,N,t) [IT]). 



Example 3.9. The grammar LL — ^ nil|cons(L, LL), L — >■ nil|cons(L, L), 
E — >■ a|b accepts ground lists of lists of a’s and b’s. We use the usual list notation. 
The type graph of LL is shown in Fig. [3l We are inter- 
ested in the labelling of all non-terminals reachable from 
LL. Let t = [[a],[b]]. Then ({LL,E,t) = C(LL,L,t) = 

C(LL, LL, t) = 0. Now let t = [[a], [X]]. Then ({LL, E, t) = 

{X} and ({LL,L,t) = ({LL, LL,t) = 0. Now let t = Fig. 3: List of lists 
[[a],X]. Then ({LL,E,t) = 0, ({LL,L,t) = {X} and ({LL,LL,t) = 0. 




Ultimately, one is interested in whether a labelling function returns variables at 
all and not in their names. Nevertheless, it fits into the formalisms of mu and 
this paper to define labelling functions the way we do. We also refer to Sec. |8] 



3.4 Labelling and Polymorphism 

In the presence of polymorphism, type graphs can become arbitrarily big. Also, it 
would be desirable to describe the labellings for say list(int), list(list(int)), 
... in a uniform way. This motivates defining a hierarchy in the type graph El- 
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Definition 3.10. A type tr is a recursive type of (f) (denoted as cr [xi <()) if 
(j<i* (j) and (f) <* <J. We write for the tuple of recursive types of (f) other than 
4> itself, ordered by ^ (see Sec. El). 

A type cr is a non-recursive subterm type (NRS) of (p (denoted as cr <® </>) 
if (j) fi* a and there is a type t such that a <t and t txi p. We write <®(0) for the 
tuple of NRSs of p, ordered by 

Consider the type graph for <p. The recursive types of p are the types in the 
strongly connected component (SCC) containing (p. The NRSs of p are the types 
a such that there is an edge from the SCC containing p to cr. 

Example 3.11. Consider Fig. El Let .T^lists = {nil_mst(u), consuaist(u)-s.iist(u)}- 
We have list(U) ixi list(U) and U <® list(U). 

Let .T^nests = .Exists U {ev_>.nest(v)jiiiist(nest(v))->.nest(v)}- NESTS implements 
rose trees, i.e., trees where the number of children of each node is arbitrary. 
Then list(nest(V)) [xi nest(V) and nest(V) [xi nest(V) and V « nest(V). 

Suppose .?^sTRiNGs contains all strings. Let .?^tables = .^^stringsU 

{Ih — rbal ; — ^bal , — ^bal ; HUl] — ^table(U) ; ^®de.(;able{U) ,str ,U.bal, table (U)— stable (U) }■ 

Then table(U) ixi table(U) and <®(table(U)) = (U, bal, str). 

An NRS of a flat type is often just a parameter of that type, as in U <a list(U). 
However, this is not always the case, as witnessed by str « table(U). 

Instead of looking at the labellings of all non-terminals reachable from some 
we look only at <®(<(') and [^((/i). This is crucial for polymorphism, since 
we cannot predict for all instances of p which non-terminals are reachable from 
it. But the point can be explained even for a monomorphic example, so consider 
Fig.|3] We have LL [xi LL and L « LL. In the approach of m , we may be inter- 
ested in p{LL,E,t) for some term t, so in the labellings of E. In our approach, 
the domain construction for LL depends on E only indirectly, via the abstract 
domain for L. 

The key to a “parametric” abstract domain construction is to focus on type 
constructors, or equivalently, on flat types c{u). E.g., we should focus on list(U) 
and not list(int). This is not surprising but has two non-obvious consequences. 

First, the relation <® is not stable under instantiation. Compare LISTS with 
NESTS. We have U <® list(U), but nest(V) ixi list(nest(V)). The abstract do- 
main for list(nest(V)) however, being derived from the abstract domain for 
list(U), must relate to nest(V) as if nest(V) was an NRS of list(nest(V)). 

We illustrate the second consequence with TABLES. The type table(U) has 
three NRSs. However, table(string) has only two NRSs, as U becomes instan- 
tiated to string. The domain for table(r) will always be based on assuming 
three NRSs, even if by coincidence r = string. 

We now define a function Z in analogy to but also collecting non-variable 
terms. In m, a grammar could effectively be identified with its starting non- 
terminal. In what follows, we will always assume a grammar G{p) where p is flat 
(Def. 13.41) . However, it is also useful to consider productions of that grammar 
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starting from some other non-terminal. Therefore Z has four arguments, the 
additional first one specifying the grammar and the second the starting symbol. 
In | 15| . we had defined similar functions. 

Definition 3.12. Let 0 be a flat type, r be a type such that t <xi (j), and a a 
type such that either ct cxi ^ or cr <® (/>. We denote by Z{4>,T,a,t) the function 
returning the set of all terms s such that ‘r’(t) — >■* ‘ct’(s) in the grammar G{4>)- 
The function Z is lifted to sets (in the fourth argument) in the obvious way. 

Example 3.13. Let T = IFlists U {achan bchar}- We have 

Z(list(U), list(U), list(U), [[a], [X]]) = {[[a], [X]], [[X]], []} 
Z(list(U),list(U),U,[[a],[X]]) = {[a],[X]} 

Z(list(U),list(U),list(U),[[a]|X]) = {[[a]|X],X}. 

Unlike C lEx. 13.911 . Z cannot extract from [[a], [X]] the subterm X directly. 

Now consider NESTS augmented with the integers Oint, lint, • ■ ■ ■ We have 

Z(nest(V),list(nest(V)),nest(V), [n([e(7)])]) = {n([e(7)]), e(7)} (1) 

Z(nest(V), list(nest(V)), list(nest(V)), [n([e(7)])]) = {[n([e(7)])], [e(7)], []} 
Z(nest(V),list(nest(V)),V, [n([e(7)])]) = {7} (3) 

Z(list(U), list(U), list(U), [n([e(7)])]) = {[n([e(7)])], []} (4) 

Z(list(U),list(U),U,[n([e(7)])]) = {n([e(7)])} (5) 

Note the difference between the labellings for [n([e(7)])] depending on whether 
we use the grammar for nest(V) (|I]-[31), or the grammar for list(U) dUE}. E.g., 
in m, we extract the only element from a list; coincidentally, this element is a 
nest. In o, we extract all nests from a list of nests, thus including e(7). 



4 Abstract Terms 



We define an abstraction of terms based on Def. 13.101 thereby generalising . 
The abstract term a{t) describes the instantiation degree of t by collecting t’s 
variables in a structure: roughly, by grouping subterms of the same type together. 

We first introduce set logic programs m- Consider a set of variables V and 
a set of functions if® = {0,©}, where 0/0 represents the empty set and ®/2 
is a set constructor. Set expressions are elements of the term algebra T(.F®, V) 
modulo the ACIl equality theory, consisting of: 



{x (B y) (B z = X (B {y (B z) (associativity) 

X (B y = y (B X (commutativity) 



X (B X = X (idempotence) 
X (B^ = X (unity) 



( 6 ) 



In addition to 0 and ®, we introduce a function symbol for each c £ 1C. 
The arity of is given by the sum of cardinalities of ^(c(u)) and N(c(u)). 
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Definition 4.1. We define 

•— T® U {c^/to I c S /C, vn = + #(IxI(c(m)))}. 

Now let r = c(u), <®(r) = (pi, . . .,Pm'), and M(r) = {pm'+i, ■ ■ ■ ,Pm)- For a term 
t = ■ ■ ■ ,tn), we define 

a{t) = c-^ I 0 a{ti ), . • . , 0 j 0 0 a{ti). 

\ri^pl Ti=pm / Ti=T 

For a variable x we define a{x) = x. 

In |1], the abstraction function is denoted type, and it is a special case of the 
above definition for #(<a(c('u))) = 1 and #(N(c(m))) = 0. The information we 
extract from the type declarations is formalised there by two functions a and tt. 
Since their typing is descriptive, those have to be provided by the user. 

Example J^.2. Consider again Fx. 18.1 

a(7) = int^ 

a([7]) = list^(a(7)) © a(nil) = list-^(int^) © list^(0) 
a(e(7)) = nest^(o;(7), 0) = nest-^(int-^, 0) 

a(n([e(7)])) = nest-^(0, o;([e(7)])) = nest-^(0, list-^(nest-^(int-^, 0))). 

Note how it comes into play (e.g., in the abstraction of nil) that the empty 
©-sequence is defined as 0. In |3, unlike in [1], there is no 0. The list nil is 
abstracted as nil, and as a consequence, the list [7] is abstracted as list(int)© 
nil. We believe that an object list(int) ©nil mixes types (abstract terms) 
and concrete terms in an undesirable way. 

Here, whenever an expression c ^{. . . ) © c '^(. . . ) occurs, then c = c'. This 
explains why in Def. 14. IL the abstraction of those U such that [xi r but Ti ^ t 
is included in reserved argument positions of c^(. . . ), whereas the abstraction 
of those ti such that n = t is directly conjoined (using ©) with c^(. . . ). 

As defined, a{t) is no smaller than t. But one would expect that 
list^(int^) ©list-^(0) can be simplified to list-^(int-^). Maybe less obvi- 
ous, one might expect that nest-^(0, list-^(nest-^(int-^, 0))) can be simplified 
to nest-^(int-^, 0). To this end, we now define further axioms. 

Definition 4.3. For each c^jm £ the distribntivity axiom is: 

C (xi, • . - , Xjji') © C {jjl, ■ ■ ■ , 2/m) — C (xi © 2/1, . . . , XjYi © ym] (7) 

Moreover, consider a fiat type (j) = d{v) such that «(0) = (cri, . . . , ct;'), ><I(((') = 
(cT/'+i , . . . ,ai). For each j £ {/' -|- 1, . . . , /}, we have aj = t0 for some fiat type 
T = c{u) and some O. Suppose «(r) = (pi, . . .,Pm'), IxI(t) = (pm'+i, ■ • ■ ,Pm), 
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We define the extraction axiom for (j) and aj as follows: 



. . .,ym) 0 Xj,Xj+i, ...,xi) = 



I a::i © 0 yk, ■■■, Xj-i © 0 yk, Xj, Xj+i © 0 Vk, ■ 

PkO—cri pkO—aj-i pkO—(Tjj^i 



■ ■ 5 0 yk 

PkO^ai 

© 0 Vk ■ 
PkO =< t > 



Let ACIIDE be the theory given by the axioms in m and the distributivity 
and extraction axioms. We abbreviate ACIIDE by AC+ and denote equality 
modulo AC+ by =ac+- 



Example 4-4- Consider LISTS and NESTS. The extraction axiom for nest(V) and 
list(nest(V)) is nest-^(a:i, list-^(?/) 0 X 2 ) = nest-^(a;i,a: 2 ) © y. We have 

list-^(int-^) © list^(0) =ac+ list-^(int^ © 0) =ac+ list-^(int-^) 

nest-^(0, list-^(nest-^(int-^, 0))) =ac+ nest-^(0, 0) © nest-^(int-^, 0) =ac+ 

nest^(int^, 0). 

The last line says, intuitively: a nest containing a list containing a nest containing 
a (ground) integer is actually just a nest containing a (ground) integer. 

We can now define abstract terms that are simplified as much as possible. We 
denote a variable sequence a;i © • • • © a;„ as a:® (this is 0 if n = 0). The following 
definition is by a structural induction that is well-founded by m Lemma 4.3]. 

Definition 4.5. For a parameter, a normal abstract term has the form cc®. 

Now let T = c{u) be a fiat type such that <3](t) = (pi, . . . , p^') and IxI(t) = 
{pm'+i, ■ • • , Pm), and 0 be any type substitution. A normal abstract term for 
T0 is 0 or of the form c-^(ai © xf , . . . , am' © ^m'^^m'+n ■ ■ ■ > *m) © where 
for each i G {!,..., m'}, ai is a normal abstract term for piO. 



Theorem 4.6. For any t with _ h t : </), a{t) has a representative which is 
a normal abstract term for (j). The representative is unique up to the order of 
variables in ©-sequences. 

Example 14.41 shows the conversion of two abstract terms to their normal forms. 



5 Relating the Abstraction and the Labels 

The following theorem relates the abstraction of a term to the labellings (Sec.^J, 
thus linking with HU. Note how a is lifted to sets: Of(S') := 0tgs a{t). 
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Theorem 5.1. Let r = c{u) be a flat type such that ^(r) = (pi, . . . ,Pm') and 
N(t) = (pm'+i, . . . ,Pm). For any term t = we have a{t) =ac+ 

c^(a(Z(r, T, pi,t)), ...,a{Z{T, r, Pm',t)), 

a{Z{T,T,Pm' + l,t)) n V, . . . ,a{Z{T,T,Pm,t)) n v) © (Z{T,T,T,t) fl V). 

Example 5.2. Consider LISTS. We have 

a([[X],[7]]) = list-^(a(Z(list(U),list(U),U,[[X],[7]]))) 

©Z(list(U), list(U), list(U), [[X], [7]]) n V) 

= list-^(a({[X], [7]})) © ({[[X], [7]], [[7]], []} n V) 

= list-^(list-^(X © int-^)) © 0 
=AC+ list-^(list-^(X © int-^)). 

The theorem tells us how to read the abstract term. First, the absence of vari- 
able on the highest level (i.e. a([[X], [7]]) is not of the form a; © ...) means 
that .Z(list(U), list(U), list(U), [[X], [7]]) contains no variables, or, to refer to 
Ex. 15.91 C{LL, LL, [[X], [7]]) is empty. Likewise, the theorem states that the argu- 
ment of the outermost list^ contains the abstraction of all subterms of [[X], [7]] 
returned by Z(list(U), list(U), U, [[X], [7]]), and again in terms of [IT], the ab- 
sence of variables at this level tells us that C(LL,L, [[X], [7]]) is empty. 

6 The Analysis 

We show how an entire program is abstracted and how the abstract and concrete 
program are related semantically. We also show that the abstract semantics is 
finitely computable. Our analysis is an application of abstract interpretation [^. 

6.1 Abstract Substitutions and Abstract Unification 

Substitutions for abstract terms are defined as expected, their range contain- 
ing abstract terms. The instantiation order <ac+ is defined as: a <ac+ b if 
b0^ =AC-i- a for some 9^. It is lifted to substitutions. We write a ~ 6 for 
a <AC-i- b A b <AC-i- a. One should not confuse ~ with =ac-i-! An abstract 
atom is an atom using abstract terms. The set of abstract atoms is denoted as 
B-^. For sets of abstract atoms and J^, we define 

If <AC+ If ^ yAf G If 3Af G If . Af <AC+ Af, 

and if ~ if if if <ac+ if and if <ac+ if - The elements of are 

called abstract interpretations. Abusing notation, we denote [2® ]~ by 2® . 

Definition 6.1. An abstract term a describes a concrete term t, denoted a <y: t, 
if cx{t) <AC+ a (and likewise for atoms). 

For an interpretation I and an abstract interpretation /^, we define oc / if 
C({I) <AC+ I^- We now relate abstraction and application of a substitution. 
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Lemma 6.2. Lemma 4.1] Let t be a term an 0 a substitution. Then 
a(tO) =AC+ cy-{t){x / a{x6) \ x G dom{6)}. 

Example 6.3. We have a([X|Y] {X/7, Y/nil}) = q;([7]) = list-^(int^) =ac+ 
list^(int^) © list-^(0) = (list^(X) © Y) {X/int-^, Y/list^(0)} = 

a([X|Y]){X/a(7),Y/a(nil)}. 

The following theorem is a straightforward consequence. 

Theorem 6.4. [5l Thm. 4.2] Let ti,t 2 be terms. If t\ < t 2 then a{ti) <ac+ 
0 (^ 2 ) (and likewise for atoms). 



Definition 6.5. We denote by ct/AC+(oi, 02) a complete set of AC+-unifiers of 
syntactic objects 01,02, i.e., a set of abstract substitutions such that for each 
9 ^ G cEac+(oi, 02), we have 0i9-^ =ac+ c>29-^, and moreover, for any 9-^ such 
that 010-^ =AC+ 020'^, we have 9-^ <ac+ 9-^ for some 9-^ G d7Ac+(oi, 02). 

AC+-unification of abstract terms is a correct abstract unification. 

Theorem 6.6. [3 Thm. 4.4] Let Ai,A 2 be atoms that are unifiable with MGU 
9, and A'f, be abstract atoms such that A'f oc Ai and A^ oc A 2 . Then there 
exists a unifier 9-^ G cUac+(A^, A^) such that oc Ai9. 

We also have that AC+-unification is optimal in the sense of [3 Thm. 4.6]. 

6.2 Abstraction of Programs 

A program is abstracted by replacing each term with its abstraction. Thus a is 
lifted in the obvious way to atoms, clauses, programs and queries. The semantics 
of the abstract program is defined by an AC+-enhanced Tp-operator. Formally 

= {a{H)9-^ \C = H^B^,...,B^gP, . . . , A)f) «c 

9^ G c[/Ac+((a(i?i), . . . , a{B^)), • • • , A-^))}. 

Note that unlike for the usual Tp-operator, we have to consider a set of unifiers. 
We denote by the least fixpoint of Tp, which exists [3 Cor. 5.2]. The 

next theorem says that the abstract semantics describes the concrete semantics. 
It is proven as in [3, by induction on applications of Tp and Tp using Thm. 16.61 

Theorem 6.7. [3 Thm. 5.4] Let P be a program. Then |a(P)]]^(|.^ oc ]]P]g. 

In the technicalities of this section, it may not have become clear in what sense 
our analysis is polymorphic. In any interesting example, the polymorphism is 
apparent in multiple occurrences of the same variable in an atom in the abstract 
semantics. These multiple occurrences indicate that the degree of instantiation is 
propagated by the program in a certain way. E.g., taking as P the usual APPEND 
program, we obtain |o(P)]]ac+ = {append(list-^(X), Y, list^(X) © Y)}. This 
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atom represents the dependency between the degrees of instantiation of the dif- 
ferent arguments of append, for any answer to a call to append. This information 
is polymorphic and can be combined with a more specialised analysis for a partic- 
ular call to append. This call will have a particular degree of instantiation and a 
particular type. Take a call described by append(list-^(int-^), list-^(int-^), Z), 
i.e., the first two arguments are ground integer lists. Then AC-1— unification of 
append(list-^(int-^), list-^(int-^), Z) and append(list-^(X), Y, list-^(X) 0 Y) 
yields append(list^(int^), list-^(int-^), list-^(int^)). In contrast to |S], we 
should not read this as: we have inferred the type of the third argument. Rather, 
we have inferred its degree of instantiation. 

In [5| we find a result that the abstract semantics of a program is finite 
provided that the type abstraction is monomorphic. The result does not hold 
anymore for polymorphic type abstractions, and the authors give the program 
{p(0)., p([X]) ^ p(X).} as an example. As a solution, the authors propose a 
depth-k abstraction, i.e., some ad-hoc bound on the depth of types. 

In a prescriptive approach to typing, the above program is forbidden as it 
violates the head condition |13j . This condition says that the arguments in a head 
must be of the declared type of the predicate, rather than of a proper instance 
of that type. The second clause alone already violates it: whatever the declared 
type T of p, the term [X] has type list(T). Disregarding such programs, we have: 

Theorem 6.8. Let P be a typed program. Then |q:(P)]ac-i- finite. 

As it stands, the theorem depends critically on the fact that we assume a bottom- 
up semantics. For lack of space, we refer to [14] . 

Along the lines of we could make further statements about the seman- 
tics, e.g. about call and answer patterns or optimality of the abstract semantics. 



7 Towards an Implementation 

So far, we have not implemented the analysis proposed in this paper. As far 
as computing the semantics of the abstract program is concerned, the only dif- 
ference w.r.t. |4I5| is that instead of ACI or ACIl we have the equality theory 
AC+. The unification problems for ACI and ACII are NP-complete. Studying 
AC+ is a topic for future work. While the extraction axioms seem somewhat 
non-standard [J, one would hope that they do not actually enter the algorithm 
provided one unifies two normal abstract terms. 

There is an implementation of the analysis we proposed in jl5J . In fact, this 
paper relates to [15] as |4I5| relates to [Sj. This is interesting because the authors 
mention that an implementation using ACI-unification turned out to be much 
faster than the implementation in [^. In particular, abstract unification is not 
as bad in practice as it seems by the theoretical result that it is NP-complete. 

To compute the abstraction of a program, in EH, the user must provide 
information about the particular type language used in a program (see paragraph 
after Def. 14.11) . whereas we extract this information from the declared types. We 
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had demonstrated [l5| that analysing the type declarations (computing the NRSs 
and recursive types) is viable even for some contrived, complex type declarations. 

To give at least one example of the advance of our analysis over |^, we use 
table(int). Suppose there is a predicate insert/4 whose arguments represent: 
a table t, a key k, a value v, and a table obtained from t by inserting the node 
whose key is k and whose value is v. From the abstract semantics of the program, 
it is possible to read that a query whose abstraction is 

insert(table'^(inf^, bal"^, str"^), str"^, X, T), 

i.e., a query to insert an uninstantiated value into a ground table, yields an 
answer whose abstraction is 

insert(table^(int"^, bal"^, str^), str^, X, table"^(int^ © X, bal^, str"^)), 
i.e., the result is a table whose values may be uninstantiated. 



8 Discussion 

We have proposed a formalism for deriving abstract domains from the type dec- 
larations of a typed program. Effectively, we have recast our previous work |15| 
using the formalisms of We argue briefly why abstract interpretation us- 

ing a unification theory such as ACI is elegant. The main reason is that the 
abstraction of a program turns out to be so simple (Subsec. [6.21) . The operations 
on abstract terms that ensure that the abstract semantics is always finite are all 
encoded into the equality axioms. It is intriguing that the abstraction of program 
variables as themselves does not imply infinity of the abstract semantics. 

We now compare this paper with under several aspects. The contri- 

bution of this paper is entirely defined by the advance it makes w.r.t. isnms]. 
Concerning the relationship with other works, we refer to the discussions found 
there. However, we mention one recent work |2], which also claims to provide a 
generalisation of m to polymorphism, but it does not involve ACI-uniflcation. 
Unfortunately, [2] contains no comparison with [S]. Such a comparison would 
also clarify the differences between [2j and our approach. One difference is that 
in [2|, each clause is analysed separately for each type occurring in it. This can 
lead to a loss of precision since certain dependencies between the different types 
used in the clause may be lost. This cannot happen in our approach and [5j. 

The type system. Put in our terminology, [5] makes the following assumptions: 
types are either monomorphic or unary, and the only subterm types of a type c{u) 
are c{u) and u. This is the simplest thinkable scenario of proper polymorphism: 
only lists and trees are covered, our TABLES and NESTS examples are not. In 
contrast, El assumes regular types without polymorphism. Thus there are only 
finitely many, but possibly very complex, types. So the type systems of mu 
are not formally comparable, but our type system is a generalisation of both. 
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Descriptive vs. prescriptive types. According to the authors’ claims, j5] takes a 
descriptive view of typing, whereas m takes a prescriptive view. 

Since the typing approach of is descriptive, it is reasonable that they must 
consider “ill- typed” terms such as [1|2]. In this paper, all terms are “well-typed”. 

In m, a unique grammar (type) is associated with each program variable. 
A unification constraint in a program gives rise to operations such as computing 
the intersection of two types. In our opinion, such operations introduce an aspect 
of type inference into their formalism contradicting a prescriptive view of typing. 

Labellings. Labellings are used to formalise which aspects of the structure of a 
term we capture. In [^, they are absent, although they might have been useful. 
In |15| . there are similar functions called extractors and termination functions. 

Unlike c m. our Z also collects non- variable terms. This generalisation 
allows us to describe the relation between a term and its abstraction (see Sec.[5|. 

The function ^ has three arguments: a grammar (which however can be identi- 
fied with its starting non-terminal), a non-terminal to be labelled, and a labelling 
term. Our labelling function Z has four arguments. We found it useful to have 
as first argument a flat type (e.g. nest(V)) which gives us a certain grammar, 
but also allow for productions of that grammar starting from some other non- 
terminal (e.g. list(nest(V))). The difference between our labelling function and 
that of m is due to polymorphism. In a monomorphic setting, one would define 
the grammar for, say, “list of nest of integer” in an ad-hoc way, and then having 
two arguments to characterise the grammar would be unnecessary. 

Abstract terms. In the abstraction of terms is not made explicit, but effec- 
tively, given a program variable x, its abstraction is the (somehow ordered) tuple 
of non-terminals of the grammar of x. Non-terminals are thought of as abstract 
variables. Our abstraction of terms, denoted a, is designed in such a way that 
the abstraction type in [5] is essentially a special case of it. The reason for having 
explicit abstract terms is related to polymorphism. They allow an encoding of 
the instantiation information present in a program which can then be combined 
with calls for particular polymorphic instances (see the example after Thm. ITTTjl . 

Type hierarchies. Given a function f,,,^c(u)i the abstraction type in [S] distin- 
guishes between the argument positions of declared type u and the “recursive” 
argument positions. Our concepts of non-recursive subterm type and recursive 
type generalise this idea. An NRS of a flat type is not necessarily a parameter, 
and T can have other recursive types than r itself. In contrast, in m, all non- 
terminals (types) reachable from the starting node of a grammar are treated in 
the same way. This is viable since the size of the grammars is fixed beforehand. 

Equality theory. The equality theory in m is ACIl. Distributivity is not ap- 
plicable. In [5], the equality theory is ACI, so there is no neutral element and 
no distributivity. This is in contrast to jl] where the equality theory is ACIl 
plus distributivity. We believe that regardless of concerns of implementation, a 
neutral element and the distributivity axioms should be present at least concep- 
tually. Our extraction axioms are not applicable to mg. 
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Types = abstract terms? In jQ, there is no distinction between a type constructor 
c (resp. type) and the function (resp. abstract term). Also, the equivalent of 
our a is called type abstraction and denoted by type. However, this identification 
only works because the assumptions about the type system are so restrictive. 
Precision. In El , the precision of an analysis depends on how the types (gram- 
mars) are defined. E.g., one could formalise the type “list of integer” in such a 
way that one can characterise that every 5th element of a list is ground. For lists 
and trees, the precision of is the same as in our approach. More complex types 
cannot be handled by |^. Also, there is no essential difference w.r.t. precision 
between this work and Underlying any analysis is a decision on what is a 
“reasonable” degree of precision. Here we decided that subterms of the same 
type belong together since they are likely to serve a similar purpose. Note that 
writing programs as polymorphically as possible helps improve precision. E.g., 
if one defines the type of pairs as pair(U, V), the two components will be dis- 
tinguished; if one defines the monomorphic type of integer pairs, they will not be. 

Thus we have generalised by considering a type system which corresponds 

to the type system of existing typed programming languages. We have given 
several examples in Sec. 0 showing that such a generalisation is non-trivial. In 
particular, there are two requirements: the construction of an abstract domain for 
a polymorphic type should be truly parametric, and the abstract domains should 
be finite for a given program and query. The biggest problem on a technical level 
is the fact that the SCCs of a type graph are not stable under instantiation. 

As future work, the analysis in this paper should be implemented, which 
requires first some studies about the equality theory AC-1- and unification algo- 
rithms for it. Moreover, we expect that the domains we propose here are also 
useful for sharing analysis, as this has been shown in El- 
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Abstract. We present a simple method for eliminating redundant 
searches in model generation. The method employs Boolean Constraints 
which are conjunctions of ground instances of clauses having participated 
in proofs. Boolean Constraints work as sets of lemmas with which dupli- 
cate subproofs and irrelevant model extensions can be eliminated. The 
method has been tentatively implemented on a constraint logic program- 
ming system. We evaluated effects of the method by proving some typical 
problems taken from the CASC-JS system competition. 



1 Introduction 

The model generation procedure tries to construct Herbrand models for a given 
clause set and determines its satisfiability. It maintains a set M of ground atoms 
called a model candidate, finds violated clauses that are not satisfied under M, 
then extends M to satisfy them, and repeats this process until a model is found 
or all model candidates are rejected. 

There are two types of redundancy in model generation: One is that the same 
subproof tree may be generated at several descendant nodes after a case-splitting 
occurs. Another is caused by unnecessary model candidate extensions with irrel- 
evant clauses. We embedded both folding-up and proof condensation jS] into 
model generation for eliminating these redundancies by analyzing dependency 
in a proof |4] . The embedded function examines the structure of proof in order 
to append a solved subproof-tree to an open branch. Nogood recording is a 
similar approach in the constraint satisfaction framework. 

This paper presents yet another method to eliminate the redundancies on the 
basis of semantical information. If the current model candidate conflicts with a 
set of instances of clauses that have participated in model generation so far, we 
can reject the model candidate without further exploration. We call the set a 
Boolean Constraint. It is worth noting that the Boolean Constraint consists of 
only ground instances of clauses and all atoms in model candidates are ground. 
Therefore, a conflict test is essentially propositional theorem proving. 

In this work, we utilize a constraint solver m on Boolean expressions for the 
test, though we could utilize model generation itself or other proving methods in 
principle. The main reason for utilizing the constraint solver is that it can com- 
pute a simple (canonical) form of the Boolean Constraint which is incrementally 
updated as the proof progresses. Since the constraint solver reduces the Boolean 
Constraint as simple as possible, it can detect the conflict efficiently. 
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2 Model Generation 

Throughout this paper, a clause -^Ai V ... V ~^An V i?i V . . . V Bm is represented 
in implicational form: A ... A A^ — ?> i?i V . . . V where Ai {1 < i < n) and 

Bj (1 < j < m) are atoms; the left hand side of is said to be the antecedent] 
and the right hand side of the consequent. 

A clause is said to be positive if its antecedent is T (n = 0), and negative if its 
consequent is _L (m = 0); otherwise it is mixed (n 0, m ^ 0). A clause is said to 
be violated under a set M of ground atoms if the following condition holds with 
some ground substitution a: Vi(l < i < n)Aia G M A Vj(l < j < m)Bja ^ M. 

A model generation proof procedure is sketched in Fig[H Given a set S of 
clauses, MG tries to construct a model by extending the current model candidate 
M so as to satisfy violated clauses under M (model extension) . When a negative 
clause is violated under M, MG rejects M because there is no way of extending 
M (model rejection). If no clause is violated under M, we conclude M is a model 
of S, that is, S is satisfiable (model finding). 



procedure MGTP{S) : Res] 

/* Input (S'): Clause set, Output(i?es):satisfiability of S */ 
return(MG(0)); 

procedure MG{M) : Res] /* Input(M): Model candidate*/ 

1. (Model rejection) If a negative clause Ai A . . . A A„ — >• _L G S is violated 
under M with a ground substitution tr, return unsatisfiable] 

2. (Model extension) If a positive or mixed clause Ai A . . . A A„ — )> i?i V . . . V 
Bm G S is violated under M with a ground substitution a, 

for {i = l]i < m;i + +) { 

if {MG{M U {Bia}) = satisfiable) return satisfiable; 

} 

return unsatisfiable; 

3. (Model finding) If neither [T| nor [2] is applicable, return satisfiable; 



Fig. 1. Model generation procedure 



Consider the following set of clauses SI: 

Cl : T — p{a) V p{c) G2 : p{a) -A q{b) 

C3 : p{X) A q{Y) -A r{X, Y) V r(X, X) V r(M, X) 

C4 : p{X) A q{Y) -A r(s(A), F) V r(X, X) V r(F, X) 

C5: p(A)Ar(s(X),F) ^r(F,s(A)) 

C6: r(s(A),F) Ar(F,s(A)) r(X,A) 

C7: r(A,A)^r(s(A),A)Vr(A,s(A)) 

C8: p{X) AqfY) Ar{Y,X) ^ r{X,X) C9 : r(s(A),A)^_L 
CIO : r{X, s{X)) ^ _L Cll : p(c) _L 
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FigiHa) shows a proof-tree for S'!. The inner nodes of a proof-tree except 
the root node are labeled with atoms used for model extension. A branch or a 
path from the root to a node corresponds to a model candidate. A leaf labeled 
with _L indicates that the corresponding model candidate has been rejected. SI 
is unsatisfiable because all leaves of its proof-tree are labeled with _L. 



^^r{a,h) 

r{s{a),b) r{a,a) 

/ \ 

r{s{a),a) r(a,s(a)) 

I I 

_L _L 

r(b,s(a)) 

I 

r(a, a) 

/ \ 

r(s(a),a) r(a,s(a}) 

I I 

± ± 




r(a, a) 

/ \ 

r{s{a),a) r{a,s{a)) 

I I 

_L _L 



r{s{a),a) r{a,s{a)) 



I 

_L 



I 

_L 



(a) A normal proof-tree 
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r{a,b) 
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r{s{a),b) 


r(a, a) 


r{b,a) 


C5 1 


1 
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1 C8 


r{b,s(a)) 


' 


r(a, a) 


C6 1 


(Ml) 


* 


r{a, a) 

C7/ \ 




1 

(M 2 ) 



r(s(a),a) r(a, s(a)) 

C9 I I CIO 

_L _L 

(b) Eliminating redundant branches 



Fig. 2. Proof-trees of SI 



The procedure MG in the above figure can be proved sound and complete in 
the sense that MG examines only models containing the model candidate M [^. 
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Theorem 1. Let S be a set of elauses and M be a set of ground atoms. Then 
MG{M) return unsatisfiable if and only if there is no model eontaining M . 

Let BC be a set of ground instances of clauses in S that have been used for 
model rejection and extension. If BCUM is unsatisfiable, SUM is unsatisfiable. 
In this case, according to Theorem [H we can reject M without further proving. 
This rejection mechanism can reduce search spaces by orders of magnitude. 
FigE] shows a model generation procedure in which the rejection mechanism is 
embedded. The framed parts are embedded ones. We call the procedure model 
generation with Boolean Constraints because BC is essentially the conjunction 
of propositional clauses and can be treated as a Boolean expression. 



procedure MCTP{S) : Res; 

BC-.= %- (1) 

return(MG'(0)); 
procedure MC{M) : Res', 

1. (Model rejection by BC) 

If {BC U M is unsatisfiable) return unsatisfiable', (2) 

2. (Model rejection by negative clauses) If a negative clause {Ai A . . . A 
-L) G S' is violated under M with a ground substitution a, 

BC '.= BCU{Aia ^ hAnU ^ 1.}', (3) 

return unsatisfiable. 

3. (Model extension) If a positive or mixed clause {Ai A . . . A — ?> Si V 

... V Bm) G S is violated under M with a ground substitution cr, 

BC '.= SC U {Aicr A . . . A 2l„(T — ?> Sicr V . . . V SmCr}; (4) 
for {i = T,i < m',i + +) { 

if {MC{M U {Sicr}) = satis fiable) return satisfiable 
elseif (SC U M is unsatisfiable) return unsatisfiable (5) 

} 

return unsatisfiable; 

4. (Model finding) If neither rule is applicable, return satisfiable; 



Fig. 3. Model generation with Boolean Constraint 



Initially, the set SC is set to the empty set ((!)). SC is updated when- 
ever ground instances of clauses are used for model extension or model rejec- 
tion ((3), (4)). SC is used for model rejection prior to performing normal model 
rejection and extension ((2)). This rejection works as folding-up to eliminate 
duplicates subproofs. SC is also used for model rejection testing whenever each 
extension MC{M U {Sicr}) is finished ((5)). This rejection test works as proof 
condensation to avoid unnecessary model extensions. 
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FigiHb) shows a proof tree for S'! obtained by model generation with Boolean 
Constraints. The mark * indicates a branch pruned by operation (2), while the 
mark x indicates that by operation (5). 

BC becomes BC\ = {Cl,C2,C3ai,C4ai,C5ai,C6ai,C7a2,C9a2,Cl0a2} 
after the second branch from the left has been rejected where = {X ^ 
a,Y ^6} and a 2 — {X ^ a}. Then, the next model candidate Mi to be 
solved is {p{a),q{b),r{a,b),r{a,a)}. However, since BCi U Mi is unsatisfiable. 
Ml is rejected. After the model extension under r{b,a) with clause C'8 ct 2 has 
been performed, BC becomes BC 2 = BCi U {C8cr2}- Tbe corresponding model 
candidate M 2 is {p(a), g(5), r(a, 6), r(6, a), r(a, a)}. In this case, BC 2 U M2 is 
unsatisfiable as well, so that M 2 is rejected. 

On the other hand, BC 2 U {p{a),q{b)}, that is, BC 2 U M3 is unsatisfiable. 
Therefore, the exploration of r(a^a) and r(b,a) below q{b) can be eliminated. 
Thus, we obtain a proof-tree which has 12 inner nodes while the normal proof- 
tree shown in (a) has 23 inner nodes. 



3 Implementation and Modifications 

The method is implemented on top of a constraint logic programming system B- 
Prolog m which supports constraint solvers over trees. Boolean, finite-domains 
and sets. We manipulate a set BC of ground instances of clauses through the 
constraint solver. Thus, BC is maintained within the constraint solver. When 
updating BC (Figl31(3)(4)), we tell (-lAicrV. . .V-iA„cr) = TRUE or (-lAicrV. . .V 
-‘And V i?itT V . . . V Bm<j) = TRUE to the constraint solver. On the other hand, 
when testing whether a conflict occurs (Fig[3](2)(5)), we ask the constraint solver 
“Is A = TRUE possible for all A € M?” If they become all TRUE, BC U M is 
satisflable, otherwise, it is unsatisfiable. 

We give two modifications of the method, in order to reduce a heavy load on 
the conflict test (FigI2l2)(5)) which is essentially propositional theorem prov- 
ing. One ignores some ground instances of clauses which participate in model 
extensions so as to reduce the number of elements in BC. Another reduces the 
number of the conflict tests. 

The first one is realized by delaying the operation (4) in FigO as shown 
in Fig[H A clause Aicr A ... A A„cr — >• Bia V ... V Bmcr is not added to BC 
when 3 j(1 < i < m){MC{M U {Bid}) — satis fiable) or BC U M becomes 
unsatisfiable at the operation (5). In other words, we add the clause to BC only 
when it contributes to deriving unsatisfiable. 

The second one is realized by delaying the operation (2) until performing 
model extensions with non-Horn clauses as shown in Fig[5l 

4 Experimental Results 

This section compares five versions: 

(1) Model generation without boolean constrains as shown in Fig[TJ 
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Fig. 4. Delaying BC updating in model extension 



(Model extension) If a positive or mixed clause (Ai A. . ./\An — >■ BiV. . .M Bm) G 
S is violated under M with a ground substitution cr, 

if (m > 1 and BC U M is unsatisfiable) return unsatisfiable; (2) 



Fig. 5. Delaying model rejection by BC 



(2) Model generation with boolean constrains as shown in FiglS] 

(3) Model generation with boolean constrains modified as shown in FigjU 

(4) Model generation with boolean constrains modified as shown in Figj^ 

(5) Model generation with boolean constrains modified as shown in FigjU and 

FigE] 

We select problems in the EPR division of CASC-JC system competition 2001 PQ 
as benchmarks. The EPR division collects non-propositional theorems and non- 
theorems with a finite Herbrand Universe. The EPR division consists of the EPT 
category (unsatisfiable clauses) and the EPS category (satisfiable clauses). The 
model generation procedure seems to be suitable for the EPR division because 
it can generate only finite Herbrand models in practice. 

Table □ and [2] show the proving performance of the five versions. The prob- 
lems were run on a SUN Ultra 60 (450MHz, 1GB, Solaris2.7) workstation with 
a time limit of 5 minutes and a space limit of 240MB. There are 16 EP40 and 7 
EPdl problems which all versions fail in solving. These problems are not listed 
in the tables. 

The version (5) outperforms other versions for both EPT and EPS categories 
according to the number of problems solved and average runtimes over solutions 
found. This shows that the combination of two modifications has a great effect 

1 GRP125-2.005, GRP127-2.006, GRP128-2.006, PUZOlO-1, PUZ017-1, PUZ037-3*, 
SYN436-1, SYN439-1, SYN440-1, SYN447-1, SYN457-1, SYN460-1, SYN466-1, 
SYN467-1, SYN472-1, SYN482-1 (* Horn problem) 

^ GRP123-2.005, GRP124-7.005, SYN423-1, SYN428-1, SYN437-1, SYN438-1, 
SYN544-1 
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Table 1. Experimental results for EPR division 



Problems solved in EPT category (25 problems) 





(1) 


(2) 


(3) 


(4) 


(5) 


GRP128-3. 


T.O. 


T.O. 


T.O. 


T.O. 


266.50 


005 


- 


- 


- 


- 


15456(637) 




- 


- 


- 


- 


4825+5544 


GRP129-3. 


M.O. 


T.O. 


23.19 


T.O. 


10.24 


004 


- 


- 


2718(234) 


- 


2868(276) 




- 


- 


543+977 


- 


501+977 


GRP129-4. 


M.O. 


T.O. 


5.99 


16.29 


4.24 


004 


- 


- 


2136(18) 


1584(37) 


2393(63) 




- 


- 


302+1290 


280+791 


257+1290 


LAT005-1* 


1.84 


6.14 


23.90 


2.06 


2.00 




248(1) 


249(1) 


249(1) 


249(1) 


249(1) 




- 


0+0 


0+0 


0+0 


0+0 


LAT005-2* 


1.54 


5.29 


20.91 


1.73 


1.68 




248(1) 


249(1) 


249(1) 


249(1) 


249(1) 




- 


0+0 


0+0 


0+0 


0+0 


PUZ018-1 


T.O. 


48.86 


18.61 


2.48 


1.95 




- 


437(72) 


454(80) 


435(71) 


456(80) 




- 


7+210 


8+206 


8+209 


8+206 


PUZ036-1. 


1.01 


7.26 


T.O. 


3.19 


2.32 


005* 


1396(1) 


1397(1) 


- 


1397(1) 


1397(1) 




- 


0+0 


- 


0+0 


0+0 


PUZ037-1* 


0.01 


0.02 


0.03 


0.02 


0.02 




13(1) 


14(1) 


14(1) 


14(1) 


14(1) 




- 


0+0 


0+0 


0+0 


0+0 


PUZ037-2* 


31.33 


63.69 


T.O. 


54.78 


T.O 




2736(1) 


2737(1) 


- 


2737(1) 


- 




- 


0+0 


- 


0+0 


- 


Solved 


5 


6 


6 


7 


8 


Av. Time (secs) 


7.15 


21.88 


15.44 


11.51 


36.12 


Problems solved 


in EPS category (25 problems) 


GRP126-2. 


M.O. 


T.O. 


78.20 


T.O. 


32.89 


005 


- 


- 


9389(405) 


- 


10204(533) 




- 


- 


2707+3133 


- 


2579+3133 


GRP126-3. 


M.O. 


T.O. 


88.65 


T.O. 


33.62 


005 


- 


- 


8790(345) 


- 


9695(470) 




- 


- 


2458+3067 


- 


2333+3067 


GRP127-3. 


M.O. 


T.O. 


196.59 


T.O. 


86.11 


005 


- 


- 


8914(742) 


- 


9126(793) 




- 


- 


2285+3112 


- 


2234+3112 


GRP128-1. 


M.O. 


T.O. 


4.80 


T.O. 


2.49 


004 


- 


- 


1891(60) 


- 


1996(94) 




- 


- 


316+777 


- 


282+777 


GRP129-3. 


T.O. 


T.O. 


95.38 


T.O. 


50.13 


005 


- 


- 


12698(197) 


- 


13286(371) 




- 


- 


3932+5109 


- 


3758+5109 



(continues) 
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Table 2. Experimental results for EPR division (continued) 



EPS 


(1) 


(2) 


(3) 


(4) 


(5) 


GRP130-3. 


M.O. 


154.43 


8.40 


12.80 


3.83 


004 


- 


1838(112) 


1967(117) 


1826(119) 


2054(134) 




- 


235+627 


262+677 


213+606 


245+677 


GRP130-4. 


M.O. 


40.38 


2.14 


2.05 


1.26 


004 


- 


716(18) 


766(18) 


549(19) 


815(28) 




- 


48+439 


57+470 


36+313 


47+470 


GRP133-2. 


M.O. 


T.O. 


8.92 


43.66 


4.10 


004 


- 


- 


2432(214) 


2117(177) 


2501(235) 




- 


- 


440+718 


404+617 


419+718 


NLP005-1 


0.20 


0.24 


0.29 


0.17 


0.18 




66(1) 


66(1) 


66(1) 


66(1) 


66(1) 




- 


0+0 


0+0 


0+0 


0+0 


NLP006-1 


1.22 


0.41 


0.41 


1.44 


1.35 




375(12) 


113(2) 


113(2) 


386(12) 


386(12) 




- 


10+0 


10+0 


0+0 


0+0 


NLP008-1 


0.17 


0.24 


0.26 


0.18 


0.18 




67(1) 


67(1) 


67(1) 


67(1) 


67(1) 




- 


0+0 


0+0 


0+0 


0+0 


NLP012-1 


0.17 


0.23 


0.25 


0.20 


0.18 




66(1) 


66(1) 


66(1) 


66(1) 


66(1) 




- 


0+0 


0+0 


0+0 


0+0 


NLP013-1 


0.18 


0.23 


0.26 


0.19 


0.17 




66(1) 


66(1) 


66(1) 


66(1) 


66(1) 




- 


0+0 


0+0 


0+0 


0+0 


PUZ018-2 


T.O. 


132.82 


40.68 


4.88 


3.17 




- 


764(167) 


778(174) 


773(167) 


787(174) 




- 


7+210 


7+207 


7+210 


7+207 


SYN307-1 


0.00 


0.01 


0.00 


0.01 


0.01 




5(1) 


5(1) 


5(1) 


5(1) 


5(1) 




- 


0+0 


0+0 


0+0 


0+0 


SYN434-1 


M.O. 


T.O. 


185.30 


13.33 


13.33 




- 


- 


506(112) 


492(104) 


509(112) 




- 


- 


11+41 


13+42 


11+41 


SYN446-1 


M.O. 


T.O. 


113.26 


180.57 


28.59 




- 


- 


1204(256) 


1091(183) 


1314(256) 




- 


- 


116+158 


107+153 


116+158 


SYN463-1 


M.O. 


T.O. 


58.13 


19.06 


12.38 




- 


- 


1503(318) 


1193(189) 


1643(318) 




- 


- 


132+218 


97+211 


132+218 


Solved 


6 


9 


18 


13 


18 


Av. Time (secs) 


0.32 


36.55 


49.00 


21.43 


15.22 



top: cpu times in seconds * Horn problem 



middle: No. of nodes in proof trees 

(No. of branches in proof trees) 
bottom: No. of branches pruned by operation (2)+ 

No. of model extensions eliminated by operation (5) 

T.O.: Time out (> 300 secs) M.O.: Memory overflow (> 240MB) 
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on pruning search space. The number of problems solved has increased by 3 to 
8 for EPT and by 12 to 18 for EPS. 

One exception is statistics for PUZ037- which the version (5) (and (3)) 
can not solve because of time limit while other versions including (1) can solve 
it. The reason for the exception is that the tail recursion elimination |10j is not 
applicable to the current implementations of the versions (5) and (3). Therefore 
thousands of stack frames need to be allocated for solving PUZ037-2. These 
allocations are space and time consuming. 

Delaying BC updating (in versions (3) and (5)) enlarges search space (num- 
bers of nodes of proof trees in this experiment) a little but reduces cpu time 
in many cases. For example, compare (2) and (3), or (4) and (5) of PUZ018-1 
or GRP130-3.004 in the tables. Delaying BC updating also delays to detect the 
conflict, and then enlarge proof trees. However, it reduces the number of ele- 
ments in BC so as to decrease the number of distinct atoms in BC. Thus, it 
decrease the complexity of the conflict test. 

There are few cases in which the version (2), (3), (4), or (5) exhausts mem- 
ories, though the size of BC becomes exponential large in the worst case. This 
space efficiency is due to the implementation technology of B-Prolog which main- 
tains BC as a canonical form. 

Compared to 8 systems which attend the EPR division of the competition, 
the version (5) scores rank 7 of 8 for EPT and rank 3 of 8 for EPS. Experimental 
results show that the presented method seems to prefer satisfiable problems to 
unsatisfiable ones. The reason for this is that proving unsatisfiability corresponds 
with an exhaustive search while proving satisfiability corresponds with a single 
solution search from searching models point of view. 

Compared with model generation with folding-up and proof condensation 
(MCFP), many problems solved are overlapped in EPR division. The following 
problems show the difference. CRP128-3.005 is solved by the version (5) while 
it is not solved by MCFP. On the other hand, experimental results for PUZ037- 
2, SYN482-1, and SYN438-1 show the reverse. Model generation with Boolean 
Constraints includes MCFP as a special case, that is, any branches pruned by 
the latter are also pruned by the former, but the reverse does not hold. This 
experimental results suggest that boolean constraints require more space or time 
than MCFP does in some cases. 

5 Future Work 

Generating minimal Herbrand models of clausal theories is useful in several areas 
of computer science. Bry and Yahya presented a sound and complete procedure 
for generating minimal models [2]. The procedure rejects nonminimal models 

® This is a Horn problem. That is, no case-splitting occurs in model generation. The 
method described in this paper has no effect on Horn problems. Therefore, it is not 
necessary for the versions (2), (3), (4), and (5) to solve Horn problems in practice. 

■* Actually, applying the version (5) on PUZ037-2 causes “Stack Overflow” within two 
hours. 
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by means of complement splitting and constrained search. Using boolean con- 
straints replaces the constrained search and has pruning effect stronger than 
that of factorization for model generation. We will implement minimal model 
generation with boolean constraints. 

In the current implementation, the most time consuming task is the conflict 
test (Fig[3](2)(5)). The cost of this task may be reduced by using Binary Decision 
Diagrams (BDDs). We are considering two approaches using BDD: One is to 
replace the constraint solver with BDD. Another is to use a BDD for representing 
a proof tree of model generation [3]. 

In the latter, all model candidates are simultaneously represented as the 
paths ending with a truth node in a BDD. With this representation, model 
candidates conflicting with the Boolean Constraint are automatically eliminated 
by standard BDD functions. Thus, the conflict test can be ignored. However, an 
implementation of the latter approach is more difficult than that of the former 
because BDD may create more model candidates than the model generation 
procedure, and it would be necessary to select a minimal one for efficiency. We 
are now developing a prototype for the former. 
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Abstract. We extend the notion of atom definitions in first-order for- 
mulae by guards. These are conditions restricting the atom definition in 
a form that frequently occurs in many application areas of automated 
theorem proving. We give a sufficient and complete criterion for a for- 
mula to contain such a definition and provide an effective algorithm to 
actually retrieve the definition in an applicable form. An implementation 
within our prover Spass leads to significant performance improvements 
in application areas where atom definitions are present. 



1 Introduction 

The question of when to expand and when to contract a definition is mentioned 
by Larry Wos as the 30th of his 33 basic research problems |B] in automated 
theorem proving, commented that “wise use of both definition expansion and 
definition contraction could sharply increase the effectiveness of various proce- 
dures that manipulate large amounts of knowledge” . 

As a supposition to the problem in the context of automated reasoning, tech- 
niques have to be developed to actually detect, expand and contract definitions. 
This paper is a contribution to the automatic detection and expansion of (atom) 
definitions that generalizes existing work in that a definition may be restricted 
by a so-called guard formula. 

The conventional notion of atom definitions is logical equivalence of atom 
instances and replacement formulae, i.e. an expression 
Vxi, . . . , Xm ■ ■ ■ ) ^n) = 

However, when we were working with our formula translator, practice revealed 
that this notion is too weak to successfully deal with important application 
domains such as set theory or software verification/analysis where typically such 
an equivalence holds under certain guarding conditions only0 In this paper we 
therefore work out the notion of an atom definition extended by a guard as in 
VXi, . . . , Xm {^(f) Z) (H(ti, . . . , tn) = V^))- 

Now in order to apply such a definition, the subformula 4 >, the so-called guard, 
must be valid in the context of the atom to be replaced. For this subproof, we 

^ For example, in the software context, type information already builds guard formu- 
lae. 
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employ the very same techniques that already showed to be useful in the context 
of optimized Skolemization • Furthermore, a formula may not always contain 
an atom definition in the nice form presented above. For this case we give a 
syntactic criterion for a formula to contain an atom definition and provide an 
effective algorithm to actually retrieve the definition in the above applicable 
form. We show that the algorithm is correct and complete with respect to the 
syntactic criterion. A similar procedure is used to derive the application context. 

A typical example for an atom definition with guard in the set theory domain 
is the definition of function composition: If /ab, read as a triple, denotes a 
function from the set A into the set B, and gsc from B to C, then composition 
can be defined in a point-wise fashion as follows: 

'^fAB,9BC,X,Z 

{x e AAz eC) D 

[9bc ° fAB{x) = z = 3y{y G B A fAB{x) = y A gsciy) = z)]. 

Here {x G A A z G C) is the guard that has to be checked before the atom 
definition of gsc ° fAB{x) = z can be applied. 

In the context of clause-based automated theorem proving, the detection and 
expansion of atom definitions is a preprocessing step of the clause normal form 
(CNF) translation procedure. It is build into the Spass transformation process 
that is organized in three stages: formula renaming, optimized Skolemization 
and simplification. In the first stage, subformulae are replaced with new pred- 
icates and the definitions thereof added, provided the replacement eventually 
leads to fewer clauses. This step is closely related to the automatic detection 
and contraction of definitions. In the optimized Skolemization stage existential 
quantifiers are removed in exchange for carefully introduced new functions. In 
the last stage domain specific simplification techniques, e.g. based on the domain 
size, are applied along with more general techniques like equality simplifications 
and expansion of (atom) definitions. This expansion step can be considered as 
symmetrical to formula renaming. 

Thus by adding the techniques described in this paper to Spass, we complete 
the picture of techniques in the CNF transformation process. Altogether we can 
now provide a framework within which appropriate instantiation strategies can 
be developed and tested. 

An experimental evaluation gives strong evidence that our approach is 
promising. It was performed in the SET (set theory) application area of the 
TPTP jl], feeding the resulting clausal specifications into the Spass theorem 
prover. This way we could solve about 60 extra problems that make up almost 
20% of the overall first-order SET problems in the TPTP. For many of these 
newly solved proof tasks, no previous fully automated proof attempt with any 
other prover had been reported. 

Now the paper is organized as follows: Section [21 introduces the relevant no- 
tions and notations. In Section|2]we develop the notion of an atom definition and 
show under which conditions the expansion of atom definitions preserves equiv- 
alence/satisfiability. As atom definitions do not always have the desired shape 
required in Section |2] the shape has often first to be extracted from a given 
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formula. Section |4] provides a syntactic criterion for the existence of an atom 
definition and an effective correct and complete algorithm to actually compute 
the desired shape. Section [5] demonstrates that the theory is successfully imple- 
mented in Spass. We end the paper with a short summary and a discussion of 
related work, Section |6] 



2 Preliminaries 

We rely on the terminology described in [2j. Therefore, we only repeat the more 
sophisticated concepts and some notation. 

We recursively construct formulae over atoms, the logical constants 
T (truth), _L (falsity) and the operators D (implication), = (equivalence), A (con- 
junction), V (disjunction), -i (negation) and the quantifiers V (universal), 3 (exis- 
tential) as usual. We sometimes omit parentheses to ease readability; especially, 
highest priority is given to quantification, negation, equivalence, implication, in 
descending order. 

For the sequence Xi,...,Xn (ti,...,t„) we use the abbreviation x^ (tn)- 
For convenience, we often write Vxi , . . . ,Xn4> or 'ixn instead of 'ix\ . . . 'ixn 4> 
and analogously for the existential quantifier. If Qi, . . . , Qn denotes a sequence 
of quantifier symbols, then QnXn is short for QiXi . . .QnXn- To simplify the 
discussion we always assume that in a formula any variable is bound by at most 
one quantifier. 

An interpretation is a triple M = {T>,X^v) where 2? is a non-empty set, 
namely the domain of discourse, I associates n-ary predicate symbols and func- 
tion symbols with n-place relations and functions respectively. We use M.[x/a] 
as a short form for {T>,I^v[x / a]) provided M. — {T>,I,v). The satisfies relation 
\= is defined as usual. 

For the purpose of this paper, we extend substitutions to formulae as follows: 
P{ti , . . . , tn)(T = P(ticr, . . . , tn<j), {-^cj))a = ^{4>(j), {4>i ° (t> 2 )cr = (j)ia o (f) 2 cr where 
o S {d,=,A,V}, {\/x4>)a = \!xa (fa if xa is a variable and \!x(f otherwise, 
(3a: 4>)a = 3xa fa if xa is a variable and 3a: f otherwise. In general, the extension 
of substitutions to formulae is problematic, because it might accidentally turn 
free variables into bound variables. However, we shall only make use of this 
definition in very restricted contexts where the desired semantics is preserved by 
the application of the substitution. 

A position is a word over the natural numbers. The set pos{f) of positions of 
a given formula f is defined as follows: (i) the empty word e € pos{f) (ii) Att G 
pos{f) \i f = f I o f 2 and tt G pos{fi), i G {1,2} where o G |d,=,A,V} and 
(iii) l.TT G pos{f) ii f = -if or f = Vx f or f = 3x ip and tt G posff). Now, if 
TT G pos{f) we define f\e= f and f\i.r= fi\r where f = fio f 2 , o G (D, =, A, V| 
and define f\iT= f\^ H f = -if or (/> = Va:-^ or ((> = 3a:'(/>. We write flfj-jr for 
'0|7T= f- With f[Tr/f], where tt G pos{f), we denote the formula obtained by 
replacing f\,r with f at position tt in f. The length of a position tt is defined by 
|e| = 0 and \i.r\ = 1-1- |r|. Let < denote the usual prefix ordering on positions: 
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7T < T iff there exists a position l with -k.l = r, and tt < r iff tt < r and not 

T < 7T. 

The polarity of a formula occurring at position tt in a formula is denoted by 
pol{ip,Tr) and is defined in the usual way: pol{ip,e) = 1; poKppjir.i) = pol{'ip,'!T) 
if ■;/: |,r is a conjunction, disjunction, formula starting with a quantifier or an 
implication with i = 2; pol{il),TT.i) = —pol{tjj,'K) if is a formula starting with 
a negation symbol or an implication with i = I and, finally, poKppjir.i) = 0 if 
tjj\Tr is an equivalence. 

The set of free, bound and all variables of a formula (j) (term t) is defined in the 
usual way and denoted by the functions freei), houndi) and varsQ, respectively. 

3 Atom Definitions and Their Application 

In this section we develop the notion of an atom definition and its expansion 
inside some other sentence. We give necessary conditions for an expansion to 
preserve satisfiability or even equivalence. 

Definition 1 (Atom definition). 

An atom definition for a predicate P is a sentence of the form 

Vxi, . . . , a;™ ((/? D P{ti, ...,tn)='if) 

where free{P{t\, . . . ,tn)) = {xi, . . . ,Xm}- The formula (p is called the guard 
formula of the atom definition and if its expansion formula. We also say that 
Vxi , . . . ,Xm{<pZP Pfti, . . . ,tn) = if) \s an atom definition for P at position 1™.2. 

Note that we consider the above definition with respect to the symmetry of 
= . We do not restrict the shape of the expansion term. For example, the defined 
predicate P may occur in the expansion formula, since practice has shown that 
even the replacement of the atom by such an expansion formula can be of great 
benefit. As only sentences are considered, the condition /ree(P(ti, . . . , t„)) = 
{xi, . . . ,Xm} already implies that free{if) , free{ip) C /ree(P(ti, . . . , t„)) which 
makes sense, because eventually we want to apply the atom definition to an atom 
P{s \, . . . , Sn) occurring in some sentence </>2 without creating free variables. 

We want to replace the atom P{s \, . . . , s„) in (f 2 by the expansion formula 
of the definition. In order to do this we first have to find a matcher a with 
P{ti, . . . ,tn)cr = P{si, . . . ,Sn). Second, we have to check the validity of the 
guard in the context of P(si, . . . , s„). In order to make this more precise, let us 
assume without loss of generality that 4>2 = (f[P{si , . . . , s„)]^) 

where (p' is the already mentioned context of P{s \, . . . , s„). Note that if j = 0 and 
(/?' = T the sentence represents the case where no context is explicitly available. 
So we can further assume that {zq , . . . , } C vars{P{s \, . . . , s„)). Then proving 

the validity of the guard amounts to showing |= Vzi ,Zk {<p' pa ) , where 
{zi, . . . , Zfe} = vars{P{si , . . . , s„)). The theorem below states that in fact if all 
conditions we discussed so far are fulfilled, the replacement of the atom by the 
expansion formula preserves equivalence. 
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Theorem 2. Let <j)i = Vsi , . . . , Xm (v^ D P{ti, ■ ■ ■ ,tn) =4’) be an atom defini- 
tion, let (j )2 = Qzii ■ ■ ■ Qzij D 4>[P{si , . . . , Sn)],r) be a sentence to which we 
want to apply the atom definition, let both sentences have no variable symbols 
in common and let cr be a substitution with P(ti, . . . , t„)cr = P(si, . . . , s„). 
Furthermore we assume ^ . . ,Zk{p' D po) where {zi^, . . . , Zi.} C 

{zi, ...,Zk} = vars{P{si, s„)). Then 

M. \= (pi /\ 4>2 iff Ai\= 4>i t\ (/)2[l'^.2.7r/'!/)(T] 

Proof. Note that free{(p') C {zij , . . . , Zi^} as well as free{ipa) C {zi , . . . , Zk} and 
free{'ipa) C {zi, . . . , Zk}, because both pi and p 2 are sentences. We only show the 
left-to-right part of the theorem, the other part is a simple syntactic variant of 
this one. So let us assume M \= pi/\p 2 and we must show M. ^ p 2 [P /'po'], 
in more detail M \= Qzi^ . . . Qzi-{p' D pln/ipa]). Let us assume that 
. . . , Zi^/uj] ^ (fi' for some arbitrary ai, . . . , a^, for otherwise we are 
already done. Now let {zh ^ , . . . , } = {zi, . . . , Zfc} \ {z ^^ , . . . ,Zi^}. Then for ar- 

bitrary Oj+i , . . . , flfc we know that M [zt^ /ai, . . . , Zijaj][zhjaj+i, . . . , Zhjak] \= 
P{si, ...,Sn)= pa, because P{ti, . . . ,tn)a = P(si, . . . ,s„), Vzi, . . .,Zk{p' D 
pa), Ai \= pi and pi, p 2 have no variables in common. Finally, by an inductive 
argument on the length of tt we conclude Ai[zi^/ai, . . . ,ZiJaj] ^ plTr/p'a]. □ 

There are several aspects that can be further discussed here. First, a for- 
mula representing an atom definition needs not be of the shape introduced in 
Definition [T] Furthermore, the context in the application formula may not be 
syntactically available in the form required by Theorem |2] A possible answer to 
both questions is contained in Section |4] where techniques are discussed that 
actually extract atom definitions. The very same techniques can also be applied 
to retrieve potential contexts of an atom to be replaced in a formula. 

Second, the validity of the guard formula |= Vzi, . . . , Zk{p' D pa) is undecid- 
able in general. We already explored this kind of problem when we introduced 
optimized Skolemization [^. In practice, the answer is to apply an inference pro- 
cedure for this proof attempt that is guaranteed to terminate but still valuable. 
In Spass we employ an implementation of depth-bounded unit resolution for 
this purpose [5]. 

Third, if the predicate P does not occur in the expansion formula p and if all 
occurrences of P in other formulae can be replaced, then the atom definition can 
be deleted, preserving satisfiability. Of course, this does only apply to predicates 
that are freely interpreted. For example, equality cannot be eliminated this way0 

4 Contained Atom Definitions 

Atom definitions considered so far have been required to be presented in the 
syntactical form of a universally quantified conditional equivalence. In order 
to increase the number of situations where our concept is applicable, we now 

^ Except all equality axioms are explicitly added before the expansion is started. 
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develop a notion of atom definitions being contained in other formulae such that 
the superformulae can, preserving equivalence, effectively be transformed into 
the syntactical form of Definition [1] This may be looked upon as extracting 
definitions from formulae. We start with the following technical term: 

Definition 3 (Contain disjunctively). Let ^ be a formula containing a sub- 
formula Lp & position 7T. If for all v S pos{(j)) with v < , (j)\^ is 

(i) a disjunction or implication with poZ(</>, v) = 1, or 

(ii) a conjunction with pol((f>, v) = —1, or 

(iii) a quantification or a negation, 

then we say that 4> contains ip disjunctively at it. 

The essence of this notion is that, the three conditions being fulfilled, the 
formula (j) can effectively be transformed into an equivalent one of the form 
QkXki'ip'^ V?) or QkXkii^y ~'^)i depending on the polarity poI{4>,tt). This will be 
useful within our extraction algorithm; but to result in atom definitions, further 
conditions are necessary. 

Definition 4 (Contain atom definition). Let 4> he a, formula with a 
subformula P(ti, . . . , t^) = ip or tp = P{ti, . . . , t„) at position tt. Then (p is said 
to contain an atom definition for the predicate P at tt ii 

(i) 4> contains disjunctively the subformula with pol{(j),TT) = 1, 

(ii) each free variable in P{ti , . . . , tn) is bound by a universal quantifier with 
polarity 1 or by an existential quantifier with polarity -1, 

(iii) free{ip) C free{P{ti, . . .,t„)) and 

(iv) for all positions v with ^ < v < tt we have: if is a quantification bin- 
ding a free variable in P(fi , . . . , t„), and is a quantification, then the 
latter also binds a free variable in P{ti , . . . , tn)- 

Now the algorithm to extract atom definitions needs to be formulated. It will 
be specified as stratified application of extraction rules that perform a transfor- 
mation of formulae. The rules are organized in three groups. 

Definition 5 (Extraction rules). The list in Table [T] contains the extraction 
rules as set of transformations on formulae and positions. Note that for each of 
the rules in groups (R2) and (R3), due to the symmetry of the operators V and 
= , copies with corresponding permutations of left-hand sides have been omitted 
to ease readability. 



The application of extraction rules preserves a number of important proper- 
ties that are listed in the subsequent lemma. The proof is simply by inspection 
of the transformations. 

Lemma 6. Consider an extraction step {(P,tt) — >■ {p' ,tt'). 

(i) Then p is logically equivalent to (j)'. 

(ii) The polarities pol{(p,TT) and pol{4 >' ,tt') are the same. 

(iii) If (j) contains disjunctively at tt, then so does <j)' with at tt' . 

(iv) If (j) contains an atom definition for a predicate P at tt, so does (p' at tt' . 
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Table 1. Extraction Rules 



(Rl) ((^[v5i D ifi2\i,i.n.i) 




where t' = 1 if n = 1 and else l' = e 








{(}>[£. /Mx^pfi) 


(</>hVa;v’]e,C) 


->■ {(j)[^/3x^ip\,^) 


V ip2)]i,f.l.n.L) 


A -<ip2],f.n.l.b) 


ifbiTi ^T2)h,fT.n.L) 


V ^tp2],f.n.l.b) 


(R2) V (v32 V P(G) = V>)]e,G2.2) 


V P2) V P(tf) = ip],£,.2) 


{(j}[3x {ifiV P{tf) = V>)]e,C.1.2) 


^ {f[^/3xpy P{tf) = ThU.2) 


if a; ^ free{P{tn)) 




{ifiV P{tf) = V>)]5,C.1.2) 


[fif/yx p V P(tf) = f )\ , i.2) 


ii X ^ free{P{tn)) 






{(j)[£,/'ix {ifi V <p2)],£,.l.2.i) 


if (P2 1 is P{trf) =tpOTf} = 


P{t„) and X £ free{P(t„)) 


(R3) {flip V P(tf) = '!/']«, C-2) 


^ m/^pDP{tf) = fj],^.2) 



The algorithm is now composed of successive exhaustive application of each 
group of transformation rules. 

Definition 7 (Extraction algorithm for atom definitions). Given a for- 
mula (f> and a position tt in (f>, the extraction algorithm consists of the following 
stages of successive extraction steps that start from (^, tt): 

Stage 1: Apply (Rl) exhaustively. 

Stage 2: Apply (R2) exhaustively. 

Stage 3: Apply (R3) if possible. 

We now prove that this algorithm is terminating, equivalence preserving, 
correct and complete with respect to Definition U 

Theorem 8. The extraction algorithm terminates for any input tt) with tt a 
position in the formula 4>. Furthermore, let {(j)' , tt') be the output of the algorithm 
for input {4>,tt). Then (j) and 4>' are equivalent; and 4>' is an atom definition for 
P at tt' if and only if cj) contains an atom definition for P at tt. 

Proof. (Termination) Within the first stage, termination can already be estab- 
lished if the transformation rules are considered as a rewrite system, interpreting 
formulae as terms and embedding the system into a recursive path ordering with 
appropriate precedence. The rules in the second stage either decrease the length 
of the position, or that length remains unchanged, but the length of a position 
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of a quantifier for one of the finitely many free variables in the subformula at 
hand is decreased. Finally, the rule in the third stage is applied no more than 
once. 

(Equivalence preservation.) This follows immediately from Lemma El 

( Correctness.) One has to show that if the algorithm outputs (</>', tt ') where (j)' 
is an atom definition for a predicate P at tt', then the input ^ contains an atom 
definition for P at tt. In fact, the formula 4>' of course contains an atom definition 
for P at 7t'; and one easily shows by inspection of the extraction rules that, if the 
resulting formula of a transition contains a definition, then the original formula 
did as well. 

( Completeness.) Assume the algorithm starts with a formula (j) as input which 
contains an atom definition for P at tt. By Lemma El the output formula (j)' 
contains such a definition at tt' . We have to show that ()' even adheres to the 
syntactically stricter form of an atom definition. Let {(j)2,TT') denote the result 
of the Stages 1 and 2, i.e. before (possible) single application of the rule of the 
last stage. 

What are the operators that may appear on the path from the root position 
of the formula 4>2 to the position tt'? First of all, due to the positive polarity 
pol{4>2,T^'), no equivalence is possible there. Second, because of the exhaustive 
application of rules in Stage 1, 4>2\^ cannot be an implication for any position 
( above tt' . Third, since negations have uniformly been moved downwards, they 
could only appear immediately above the position tt' . Due to the elimination 
of double negations, their number is 0 or 1, the latter being impossible since 
pol{4>2,T^') = 1- Finally, if there were a conjunction, then because of its negative 
polarity there should be a negation above it, but there is actually none. So (/> 2 |{ 
is a disjunction or a quantification for all ( < tt' . 

Let us now have a look at a quantification ^21^ at a position ( above tt' . 
Because of Stage 2 it must bind a variable in 02 U'- Since there are no more 
negations, its polarity is positive, hence it can only be a universal one. In fact, 
since every free variable in the equivalence 02 U' is bound, there is one quan- 
tification for each free variable thereof. These quantifications do not appear 
within disjunctions, i.e. they form some prenex, whereas the underlying disjunc- 
tion must contain the equivalence 02]^' as right top-level disjunct. So 02 is a 
formula of the form Mxk (y>' V P{tn) = t(). Finally Stage 3 transforms 02 into 
(j)' = Vxfc {qr D P(tn) = V') where ip = ~'ip' , which indeed is an atom definition 
for P. □ 

The notions developed so far can straightforwardly be extended to cover also 
conjunctive occurrence of subformulae, and thereby to handle atom definitions 
contained in a conjunctive fashion. 

Finally, note that the extraction algorithm presented here is in principle 
also applicable to transform the contexts in which an atom definition is to be 
applied. One starts with the corresponding notion of a formula containing an 
atom occurrence and modifies Stage 2 such that it works on occurrences instead 
of equivalences. 



First-Order Atom Definitions Extended 



317 



5 Experiments 

Several problem domains are naturally formalized using atom definitions, like 
software verification/analysis or set theory. We concentrate on the latter, because 
the examples presented below are widely available through the TPTP [i]. The 
current version of the TPTP at this writing is 2.4.1. 

The previous chapter leaves open any aspects of an actual implementation 
of the theory. We found the following settings to be useful: (i) all found atom 
definitions are only applied to the conjecture formula, (ii) for the proof of the 
guard formula, we use Spass itself restricted to depth-bounded unit resolu- 
tion j^, (iii) the number of atom definition applications is limited to at most 
10 applications!^ (iv) all atom definitions are kept, even if the defined pred- 
icate could be completely eliminated through expansions. These features are 
available in Spass Version 2.0 that is available from the Spass homepage: 
http : // spass .mpi-sb.mpg.de/. 

The hardware used for the test are old-fashioned PCs (333MHz Pentium 11) 
running SUN OS 5.6, so the results should be easily reproducible on any current 
hardware. The examples shown in Table |2I are all examples that Spass could not 
solve without detecting and expanding atom definitions in the way described 
before. These examples make up about 20% of all first-order SET examples in 
the TPTP. The table shows the TPTP problem name together with the time 
in seconds needed for Spass to prove the problem. All numbers are upwards 
rounded to seconds. Summing it up, with the techniques described in this paper, 
Spass can solve in a few seconds many problems that without them could not 
be done at all within any reasonable time limit. For many of these examples, 
Spass was the first automatic prover to report a successful proof attempt to the 
TPTP; so we encourage the reader to test these examples using his/her favorite 
theorem proving system. 

In general, it is pretty clear that changes to any parameter chosen for this 
experiment have influence on the success or non-success of a particular proof 
attempt. It is well known from proof attempts in mathematics that there are 
problems where the expansion of definitions in the conjecture is the key to a 
successful proof and that there are problems where just the opposite is the case. 

Nevertheless, we made some additional runs on the TPTP SET first-order 
problems that may give a feeling for the influence the parameters have on Spass’s 
success. If we change the number of atom definition applications from 10 to 5, 
then we loose 15 out of the above 60 problems. If we change it from 10 to 15, then 
we loose 2 problems. However, beside the above 60 problems, both parameter 
settings can prove further problems. For all experiments we made on the TPTP 
SET domain, the time needed by Spass to actually extract the atom definition, 
the context of the atom to be replaced and to prove the guard formula could be 
neglected. 

If we compare Spass with and without expansion of atom definitions on 
all SET first-order examples of the TPTP except the above 60 problems, the 

® We will discuss this “magic number” at the end of the section. 
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Table 2. SET Experiments 



Problem 


time 


Problem 


time 


Problem 


time 


Problem 


time 


Problem 


time 


SET010-t3 


1 


SET011-t3 


1 


SET012-P4 


1 


SET013-P4 


1 


SET016-P4 


1 


SET066-tl 


2 


SET069-tl 


192 


SET071-P1 


1 


SET143-P3 


1 


SET143-P4 


1 


SET144-t3 


1 


SET155-t4 


2 


SET156-P4 


5 


SET159-P3 


1 


SET159-P4 


1 


SET169-t3 


1 


SET169-t4 


1 


SET171-P3 


1 


SET171-P4 


1 


SET173-P3 


1 


SET175-t3 


1 


SET351-t4 


1 


SET352-P4 


1 


SET358-P4 


21 


SET593-P3 


1 


SET595-t3 


1 


SET606-t3 


1 


SET607-P3 


1 


SET608-P3 


1 


SET609-P3 


1 


SET610-t3 


1 


SET611-t3 


1 


SET612-P3 


1 


SET613-P3 


1 


SET614-P3 


1 


SET615-t3 


1 


SET624-t3 


101 


SET634-P3 


1 


SET690-P4 


15 


SET692-P4 


1 


SET693-t4 


1 


SET694-t4 


1 


SET695-P4 


1 


SET696-P4 


1 


SET698-P4 


71 


SET699-t4 


1 


SET700-t4 


1 


SET701-P4 


1 


SET702-P4 


1 


SET703-P4 


1 


SET706-t4 


5 


SET720-t4 


31 


SET722-P4 


18 


SET731-P4 


2 


SET734-P4 


18 


SET751-t4 


3 


SET753-t4 


4 


SET754-P4 


4 


SET755-P4 


3 


SET763-P4 


2 



expansion version looses 5 problems compared to the version without expansion 
of atom definitions. However, it also wins several new problems beside the above 
60 problems. We didn’t include these problems into the above 60 ones, because 
they can also be solved with Spass without expansion of atom definitions, but 
other parameter variations. 



6 Summary and Related Work 

We have extended the notion of atom definitions in first-order logic by guards 
and presented conditions under which atom definitions can be expanded within 
formulae. Furthermore, we gave an effective algorithm to retrieve such definitions 
from equivalences within complex formulae. We presented a syntactic criterion 
for a formula to contain a definition and showed that our algorithm is correct 
and complete with respect to the criterion. To the best of our knowledge, there 
is no previous work in the context of automated theorem proving that relates to 
these results on atom definitions with guards on the formula level. 

The theory is implemented within the CNF translation module of Spass. 
Feeding its outcome into Spass, we have performed an experimental evaluation 
showing that the prover can benefit tremendously in application domains where 
atom definitions with guards are frequent. Our approach being that successful 
already, future work will focus on the question of expanding atom definitions 
with guard dynamically also in the theorem proving process itself. 

On the clause level, there exist contributions how definitions can be detected 
and utilized. Plaisted and Zhu |3] presented an approach how to detect definitions 
on the clause level and to turn them into replacement rules. These rules are 
then employed to simulate the expansion of atom definitions on the clause level. 
Despite from the fact that the detection of guards on the clause level is not 
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straightforward, applying this work to atom definitions with guards means that 
the guards are checked after expansion. 

More recently, Degtyarev and Voronkov [1] introduced stratified resolution, a 
sound and complete resolution calculus that can in particular be used to restrict 
resolution on clauses resulting from atom definitions such that only expansion 
steps are preformed. 



Acknowledgments. We thank Andrei Voronkov for many discussions and a 
number of valuable comments. 
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Abstract. We outline the background and motivation for the use of 
interval logics and consider some initial attempts toward proof support 
and automation. The main focus, though, is on recent work on these 
subjects. We compare different proof theoretical formalisms, in particular 
a “classical” versus a “labelled” one. We discuss encodings of these in the 
generic proof assistant Isabelle and consider some examples which show 
that in some cases the labelled formalism gives an order of magnitude 
improvement in proof length compared to a classical approach. 



1 Introduction 

Interval logic was introduced in computer science in the beginning of the 1980’s 
and various work was carried out during the 1980 ’s. With the introduction of 
Duration Calculus (DC) in the beginning of the 1990’s, renewed interest in in- 
terval logics flourished. During the 1990’s a lot of work on interval logics has 
been carried out (including work on more DC specific parts as such). 

The purpose of this paper is to discuss initiatives toward automated proof 
support for interval logics. We consider some initial attempts but the main fo- 
cus is on recent work on these subjects. We compare different proof theoretical 
formalisms, in particular a “classical” versus a “labelled” one. We discuss encod- 
ings of these in the generic proof assistant Isabelle and consider some examples 
which show that in some cases the labelled formalism gives an order of magnitude 
improvement in proof length compared to a classical approach. 

The results of the paper go beyond the interval logic world, in that they can 
be seen as supporting the program of Gabbay [1] on using labelled formalisms 
for non-classical logics. 

The rest of the paper is organized as follows: In the following section, Sec- 
tion [21 we give a brief outline of the development of interval logics used in com- 
puter science during the past 20 years. In Section Owe become more technical, 
and consider syntax and semantics of the interval logics we are particularly in- 
terested in here. Section ID more specifically starts to address the proof theory by 
considering different attempts to define (in a “classical” way) a sequent calculus 
for certain interval logics. Then, in Section |2] we turn to a fundamentally differ- 
ent proof theoretic formalism, namely that of Labelled Natural Deduction. We 
give examples convincingly conveying the benefits of this formalism and discuss 
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how an implementation in Isabelle can act as a framework for a certain class of 
interval logics. Finally, in Section [6l we discuss the results obtained. 



2 Background 



It is generally acknowledged that Pnueli [T^ was the first to introduce temporal 
logic in computer science. In this (original kind of) temporal logic one can make 
qualitative reasoning over sequences of discrete time points. The use of these 
temporal logics is widespread today, e.g., within the model checking community. 

But even though such temporal logics have turned out the most popular, 
variations over the theme have also been thoroughly considered, among these 
the topic of this paper: Interval (Temporal) Logics. In these logics, one reasons 
on the relationships of temporal intervals (which are most often represented as 
a pair of a beginning point and an end point). These can be based on either a 
discrete or a dense time domain. It is possible to express properties such as “if 
property (j) holds on this interval then property '0 must hold on all subintervals” 
or “property ip must hold on some interval eventually” . 

One of the first uses of such a formalism was the work of Enni where timing 
aspects of hardware components were modeled. There has been a lot of work 
since, on many different aspects of interval logics, e.g., |Hp6|2imf14j . 

In the ProCoS project in the end of the I980’s and the beginning of the 
I990’s it was realized that a convenient formalism for specifying and reason- 
ing on accumulated durations of Boolean valued functions over time periods 
were required for expressing certain properties of real-time systems. This lead 
to the development of Duration Calculus (DC) |2S] which is an extension of the 
interval logic ITL m with term-level notions for accumulated durations. The 
introduction of DC initiated much work on aspects of DC as well as, importantly, 
interval logics proper. As DC was introduced, the underlying version of ITL had 
not been thoroughly investigated; no complete axiomatization existed. This was 
not given until 1995 [S|. Together with a relative completeness result for DC 
and (un)decidability results this lead to |7] which is the most comprehensive 
reference for the logical foundations of DC. 

Soon it became apparent that the original ITL had some limitations which 
made it difficult to specify (unbounded) liveness properties. An initial attempt 
to overcome this was pH] . Later, Neighbourhood Logic (NL) |23] was introduced 
on a more firm theoretical basis. Fairly recently. Signed Interval Logic (SIL) [12] 
was proposed, with the introduction of the notion of a direction of an interval. 
SIL has (as ITL) only one interval modality but SIL is (contrary to ITL) capable 
of specifying liveness properties. Other interval logics capable of this (such as 
NL) have more than one interval modality. 

Not long time after the introduction of DC it was realized that some kind 
of proof support was needed for interval logics to be more widely applicable, in 
particular for the conduction of larger case-studies. Initial work in this directions 
was a semantic encoding in PVS in ’94, giving PVS/DC [TH|. As mentioned 
above, at that time no complete axiomatization for ITL existed. Later, based 
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on the complete axiomatization, an encoding of ITL and DC in Isabelle was 
carried out, giving Isabelle/DC jS]. This latter work was somewhat ad hoc as 
the emphasis mainly was on getting the system “up and running” such as to be 
able to conduct case studies. 

Only recently, mug, have the proof theoretical foundations necessary for 
automated proof support been more closely investigated. In Sections |4] and |5] 
we will discuss how these formalisms work from a more applied viewpoint, by 
considering different examples of reasoning. 



3 Interval Logic 

In this section we become more technical and consider syntax and semantics of 
the interval logics we are particularly interested in, namely ITL |3j and SIL [16]. 

The syntax of ITL and SIL is basically the same, namely that of First Order 
Logic (FOL) with equality, with the addition of formulas built from the binary 
interval modality chop: We let x,y,z, . . . denote variables, s,t,u, . . . denote 

terms and (/), '0, (/j, . . . denote formulas. Hence, syntactically, we have formulas of 
the form beside the usual FOL formulas. Furthermore, both ITL and SIL 
include a special nullary function symbol i which gives the length of an interval. 
This is the most distinguished feature of the interval logics we consider here 
compared to other kinds of interval logics. 

Semantically, formulas of ITL are interpreted with respect to a given interval, 
which is represented by a pair [i,j] (where i < j) oi elements from an ordered 
temporal domain of time points. The meaning of the usual operators of FOL is 
independent of this interval whereas the meaning of is not; the semantics of 
is indicated in Fig.|T] We will refer to k of Fig.[T|as the chopping point of The 
chopping point will always lie inside the current interval on which we interpret 
a given formula. In general, modalities with this property are called contracting. 
With contracting modalities it is only possible to specify safety properties of a 
system. This is because once we have chosen the interval we want to observe we 
are restricted to specifying properties of this interval and its subintervals. 



i ^ i 

Fig. 1. holds on [i,j] iff there is fe £ [i,j] such that (j> holds on [i, k] and ip on 

[k,j] 

To specify (unbounded) liveness properties, we need to reach intervals out- 
side the current interval. In general, modalities which can do this are called 
expanding. NL is an example of an interval logic with expanding modalities. 

SIL is a generalization of ITL with the introduction of the notion of a direc- 
tion (which can be either forward or backward) of an interval. An interval with 
a direction is represented in SIL by a signed interval (i,j). Both the pair (i,j) 
and the pair (_), i) represent the same interval but (j, i) has opposite direction 
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of In SIL, i now gives the signed length of an interval. Intuitively, the 

absolute value of £ gives the length of the interval and the sign of i determines 
the direction. Because of the directions of intervals, the meaning of ^ in SIL is 
altered: See Fig.|2] In the figure the direction of an interval is marked with a 
small arrowhead in either end of the interval. The chopping point can now lie 
anywhere and not just inside the current interval. This means that of SIL has 
become an expanding modality, hence SIL can specify liveness properties. 



i ^ 

i 



j 

k 

.1 ^ k 



Fig. 2. holds on (i,j) iff there is k such that (f) holds on (i, k) and tp on {k,j) 



ITL and SIL are modal logics. Formally, the semantics sketched above is 
given in terms of Kripke structures where the possible worlds are intervals. If 
we let 971 be a first order Kripke model, the formal semantics of, e.g., A can be 
given as 



\= Oi A P iff j) \= a and Tl,{i,j) \= P . 

Thus, the semantics of A is independent of the interval Similarly for 

the other Boolean connectives. In the case of of SIL we have 

ihj) \= a^P iff 971, (z, k) \= a and 971, (k,j) |= P for some k . 

In the case of ^ of ITL the semantics is the same except that k is restricted 
hy i < k < j. The semantics of £ is given by a certain measure which of course 
is dependent on the given interval. 

For fully formal treatments of the semantics of ITL and SIL we refer to [3] 
and |16], respectively. There, soundness and completeness results with respect 
to Hilbert-style proof systems are also proved. 



3.1 The Converse Modality I 

We will end this section by giving a simple example of what can be expressed 
in SIL (at the same time showing something that cannot be expressed in ITL). 
The example is concerned with properties of a (definable) unary modality 
which “reverses” the direction of an interval: 

= (3a;)( {£ = x) A { {£ = 0) A {£ = x)'~'4> )"true ) . 

One can straightforwardly semantically show that 4>~^ holds on an inter- 
val (z,j) iff 4> holds on the interval (j,i). We would like to show the following 
properties of 

1 ) ( 0 "^)"^ ^ P , 2 ) ^ . 
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It is quite easy to informally convince oneself of the correctness of 1) and 2) 
by drawing signed intervals (in the style of Fig. in and see how they fit together. 
In later sections we will see how these properties can be proven formally and 
more or less automatically. 

Note how and the properties 1) and 2) are related to classical (binary) 
relational algebra [20]. This connection (and others) is further discussed in [l6| . 

4 Sequent Calculus 

In this section we consider some initiatives toward automated proof support 
for interval logics which have in common that they are all based on a sequent 
calculus formulation. 

In PVS/DC [18] various inference rules for ITL and DC are formulated in a 
sequent style. As mentioned in Section |2] this work is not based on a complete 
axiomatization and the rules are hence quite ad hoc. We will therefore not say 
more about this here. 

The first attempt at (automated) proof support for ITL/DC with a complete 
axiomatic basis is that of |8]. There, ITL and DC are encoded on top of a FOL 
sequent calculus LK in Isabelle [12|. The result, Isabelle/DC, does not take much 
advantage of the sequent formalism: In essence, the axioms of the Hilbert system 
are added directly as axioms to LK, thus giving a mix of a Hilbert and a sequent 
system. As a consequence, not much automation is achieved. 

In [IZ| a sequent calculus proof system for SIL is considered. Here an attempt 
is made to take advantage of the sequent calculus formalism as such and not just 
add axioms. This results in rules such as 

h A h A 

r, {(f) V ip)^(p b A 

which mimics the left-introduction rule for V known from propositional logic but 
here “under the chop” . There are more rules in the same style, resulting in a 
complete system. It is not a “proper” sequent calculus system though, in that, 
does not appear in exactly one left and one right introduction rule. This aspect, 
and other important sequent calculus properties, is further discussed in Hz]. By 
these measures it is not likely that a proper system exists at all; this also seems to 
be the case for most modal logics in general [^. Despite this negative indication, 
it is seen how far the formalism can be “pushed”: The main theoretical result 
of |17] is a “decidability modulo cut” result which entails that if one ignores the 
cut rule (which is necessary for completeness) provability is decidable (SIL is 
provably undecidable in general). Finally, 1171 sketches how this sequent calculus 
system for SIL has been encoded in Isabelle, giving Isabelle/SIL. 

4.1 The Converse Modality II 

As an example of reasoning in Isabelle/SIL we consider mechanically proving 1) 
and 2) (cf. Section 1^70) . 
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This required proving a substantial amount of initial results including many 
derived rules concerning the interplay between and the Boolean operators as 
well as the special I symbol. Many of these were added to Isabelle’s Classical 
Reasoner which encapsulates several search tacticals adopting various strategies. 
A lot of rewrite rules suitable for Isabelle’s Simplifier were proved too0 

Based on this initial development, the proof of 1) and 2) took up approxi- 
mately 200 lines of the proof script. The proof is not very straightforward and 
took some ingenuity to complete. We will in the following section see how this 
can be done much better. 



5 Labelled Natural Deduction 

In this section we consider Labelled Natural Deduction (LND) systems for in- 
terval logics. This proof theoretical framework is fundamentally different from 
the classical approaches: The intervals, which so far only have appeared in the 
semantics, are made part of the syntax and thereby an important part of the 
proof system. This approach is inspired by the work on Labelled Modal Logic 
m which in turn was carried out in response to Gabbay’s program on Labelled 
Deductive Systems [1]. 

The most important consequence of the LND formalism is that it is possible 
to have a “proper” natural deduction system with exactly one I-(ntroduction) 
and one E-(limination) rule for each connective — including the modalities. In 
the case of of SIL we have the following rules: 

[{i,k) : (j)] [{k,j) : tp] 



{i,k):(f) {k,j):tp {i,j) : {m, n) : ip 

{i,j) ■. {m,n):ip 

In IIS] a sound and complete LND system for SIL is given. The main the- 
oretical result is a normalization result which implies that normal derivations 
satisfy a subformula property. How an encoding of this labelled formalism could 
be done in Isabelle (giving Isabelle/LSIL) is indicated and the advantages are 
postulated. 



5.1 The Converse Modality III 

In this section we revisit the example concerning the converse modality As 
in Section WJ\ we want to mechanically prove the properties 1) and 2) but this 
time we use a version of Isabelle/LSIL which turns out much more convenient. 
Below we give (essentially) the whole proof script for the proofs of 1) and 2). 
(Note how conv(P) is used as concrete syntax for (f>~^ and len is used for £.) 



^ We refer to |12| for details on Isabelle specific aspects in general. 
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val [prem] = 

Goal "(<i,j>:EX x. len=x ==> <i,j>:P) ==> <i,j>:P"; 
by (fast_tac (clasetO addls [prem.exICF] ) 1); 
qed "len_ex"; 

Goalw [conv_def] "<i,j>:P ==> <j , i> : conv(P) " ; 
br len_ex 1; 

by (fast_tac (clasetO addEs [exE] addls [exIRI] ) 1); 
qed "convl"; 

Goalw [conv_def] "<i , ^ conv(P) ==> <j,i>:P"; 
by (slow_tac (clasetO addEs [exE,uniql ,zeroE2rev] ) 1); 
qed "convE"; 

Goal "<i , • conv(conv(P) ) <-> P"; 

by (fast_tac (clasetO addls [convl] addDs [convE] ) 1); 
qed "conv_conv"; 

Goal "<i , • conv(P~Q) <-> conv(Q) “conv(P) " ; 
by (fast_tac (clasetO addls [convl] addDs [convE]) 1); 
qed "conv_chop"; 

As part of the proof we derive I- and E-ruIes for the modality. These 
rules, and subsequently 1) and 2), can be proven using fast_tac and slow_tac 
which are tactics (provided by Isabelle’s Classical Reasoner) performing depth- 
first search, using I- and E-rules for the usual Boolean connectives and chop 
(encapsulated in claset () )[^ Besides this, I-/E-rules for the existential quanti- 
fier (exE,exIRI,exICF) are added where needed. Furthermore, two simple rules 
expressing uniqueness constraints on intervals (uniql,zeroE2rev) are utilized. 
We will for space reasons not go into further explanation of details of the above 
proof script. The important thing to note is that the proof script only takes up 
roughly 20 lines. Hence, we have achieved an order of magnitude improvement 
in proof length compared to the Isabelle/SIL proof. We have here not taken into 
account that the initial development necessary for the above proof is shorter 
than the corresponding in Isabelle/SIL too. 



5.2 Isabelle/LSIL as a General Framework 

Above we have discussed the LND system for SIL together with an example 
in Isabelle/LSIL. What if we do not need/want the expressive power of signed 
intervals but prefer the standard intervals of ITL? Semantically, ITL can be 
regarded as a restriction of SIL as only a subset of the signed intervals are 
allowed: The intervals where the end point is greater than the beginning point 
(i.e., all forward intervals). This intuition motivates the following LND rules for 
in ITL. 



2 



Contrary to fast_tac, slow_tac backtracks over proof by assumption. 
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\{k,j) : [fc C j] 

[{i, k) : [i C k] 



{i,k) : (f) {k,j) :ip i C fc fc C j {i, j) \ ip {m,n) : tp 

[i,j)-.p^ip {m,n):(p 

Loosely speaking, by restricting the other rules of SIL in a similar way we 
will arrive at an LND system for ITL. The relation C defines an ordering over 
the temporal domain and to reason with C judgments we add rules defining its 
properties (such as transitivity). 

One could now make an ITL encoding in Isabelle in parallel to the SIL 
encoding. This encoding would actually be a little more complicated as one 
would have to take care of the C judgments as well. But a little thought shows 
that it is possible to encode ITL directly in Isabelle/LSIL. This owes to the 
following observations: 

1. i Q j is semantically equivalent to (f, j) : fwd (we use fwd as an abbreviation 
for .^ > 0). By exploiting this we do not have to introduce a new judgment. 

2. By defining a special contracting chop modality as cp\~'\ ip = {(p A 

fwd)'~'{ip A fwd) we get the intended semantics of chop of ITL within SIL. 

3. We can derive an I- and an E-rule for p| within the SIL system. In Is- 
abelle/LSIL the result looks like follows: 

itlchopl "[I <i,k>:P; <k,j>:Q; <i,k>:fwd; <k,j>:fwd |] 

==> <i,j>:P|‘lQ"; 

itlchopE "[I <i,j>:P|“lQ; <i,j>:fwd; 

! !k. [| <i,k>:P; <k,j>:Q; <i,k>:fwd; <k,j>:fwd |] 

==> <l,m>:R |] ==> 

In conclusion, we can say that if we from the start assume (i,j) : fwd and 
thereafter use the above I-/E-rules, we have a sound framework for reasoning 
within ITL with minimal effort and we have most of the “infrastructure” of 
Isabelle/LSIL at our disposal. It is fairly straightforward to formally justify this. 

Note that the above sketched idea can be taken a step further: We can also 
encode, e.g., NL in Isabelle/LSIL. Thus, we still only consider forward intervals 
but we do include liveness. We can derive I- and E-rules for the two expanding 
modalities of NL and then reason within this framework; again, most of the 
“infrastructure” of Isabelle/LSIL comes for free. 

An Example. We will here consider an example which is based on an encoding 
of ITL in Isabelle/LSIL as sketched above. Furthermore, DC has been encoded 
on top of this ITL encoding. 

The example is the classical Gas Burner example the motivating exam- 
ple for the introduction of Duration Calculus. This small case-study is mainly 
focused on illustrating the DC extension of ITL. Thus, it is reasoning on the 
term-level which is (primarily) exercised. 
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The example is concerned with proving an implementation correct with re- 
spect to a specification. The proof script in Isabelle/LSIL takes up more than 
400 lines. This is not too impressive as we are using the labelled formalism. There 
are both intrinsic and more practical explanations for this somewhat disappoint- 
ing result: Reasoning on the term level means reasoning on the same interval. 
Clearly, the labelled formalism is only advantageous when relating intervals; 
thus, in the term level case we do not gain compared to a classical approach. 
There is not much to do about that. What can be done something about is the 
amount of automation for term level reasoning. This in particular is the case 
for arithmetic reasoning on integers, including representation of integers. A lot 
could here be learned from the quite elaborate theories and tools (in particular 
the use of the Simplifier) in Isabelle/HOL |T2]. Another possibility is the use 
of external decision procedures (such as SVC). The problem here is to make a 
convenient interface. An initial attempt toward this is made in [S]. 

6 Discussion 

We have in this paper seen how much the choice of formalism for reasoning in 
a certain logic means for the amount of work needed to conduct proofs. We in 
particular saw how much we gained when going from a “classical” (Isabelle/SIL) 
to a “labelled” formalism (Isabelle/LSIL) in the case of proving properties 1) 
and 2) concerning the modality. But the gain is not only apparent in such 
somewhat academic examples. Also in more interesting examples are the bene- 
fits clear: This is, e.g., the case for an example conducted using Isabelle/LSIL 
concerning properties of a simple oscillator. Here various modalities are derived 
for expressing certain liveness properties. Because of the nice structure of the 
LND system many parts of the proof can be automated in the style of 1) and 2). 
Even if a lot of automation is not possible in other parts of the proof it is still 
intuitively easier to reason as the proofs are closer to informal “pen and paper” 
reasoning because the intervals in the logic can be visualized as intervals in the 
style of Fig. [2 (This aspect is further discussed in [IS]-) The parts which are hard 
to automate can be identified as concerning an amount of term level reasoning. 
The same lesson was learned in recent work by Henrik Pilegard on formalizing 
and proving some simple properties of the Deadline Driven Scheduler (DDS) in 
Isabelle/LSIL. This work was inspired by an earlier formalization of the DDS in 
DC where proofs were done by hand [23] . 

In conclusion, we can say that reasoning on the formula level, where intervals 
are related, have been greatly improved by using the labelled framework. In “real- 
life” examples we also have to do parts of the reasoning on the term level. For 
this, work still has to be done on improving the tools and some directions for 
this were mentioned in connection with the Gas Burner example of the above 
section. 

Finally, it is important to realize that the results of this paper have implica- 
tions outside the realm of interval logics as they support the program of Gabbay 
j4] on using labelled formalisms for non-classical logics. 
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Abstract. Function provability in higher-order logic is a versatile and 
powerful framework for conceptual classification as well as verification 
and derivation of declarative programs. Here we show that the func- 
tions provable in second-order logic with first-order set-abstraction are 
precisely the elementary functions. This holds regardless of whether the 
logic is classical, intuitionistic, or minimal. 

The notion of provability here is not purely logical, as it incorporates 
a trivial theory of data, with axioms stating that each data object has 
a detectable main constructor which can be destructed. We show that 
this is necessary, by proving that without such rudimentary axioms the 
provable functions are merely the functions broadly-represented in the 
simply typed lambda calculus, a collection that does not even include 
integer subtraction. 



1 Introduction 

Proof Theory provides a classification of computable functions by the strength 
of formal theories used in proving their convergence for all input. For instance, 
Godel showed that the provably total functions of first-order (Peano) arithmetic 
are precisely the functions definable by primitive recursion in finite types [10], 
and Parsons showed that if induction is restricted to J7j-formulas^ then ex- 
actly the primitive recursive functions are probably recursive [24]. Sam Buss 
continued this line of research, and showed how further restrictions lead to for- 
malisms whose provably total functions are exactly major computational com- 
plexity classes, such as poly-time and poly-space [6]. These results are of proof 
theoretic rather than computational interest, because the formalisms considered 
incorporate explicit restrictions on resources, akin to Cobham’s characterization 
of poly-time in terms of initial functions that capture poly-time size growth plus 
a non-size-increasing recursion schema [7]. 

* Research supported by NSF grant CS-0105651 

^ These are just the existential formulas if the formalism admits defining equations 
for all elementary functions; for Peano’s Arithmetic one must discount the use of 
bounded quantifiers. 



R. Nieuwenhuis and A. Voronkov (Eds.): LPAR 2001, LNAI 2250, pp. 330—346, 2001. 
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One would wish to develop proof theoretic methodologies that capture com- 
plexity classes by limiting conceptual abstraction rather than resources. One 
such line of research has explored first-order theories whose provably-total func- 
tions form certain complexity classes [19,3,22]. The main ingredient there is a 
calibration of induction, not in terms of bounding size of values, but in terms of 
formula complexity, data ramification, and control and information flow in the 
proofs. 

An alternative paradigm, set forth in [16], is based on the second-order de- 
finability of inductive data types, such as the natural numbers and strings over a 
finite alphabet. For instance, if A^[a;] is the formula that states that every set con- 
taining zero and closed under the successor function s contains x, then JV defines, 
in every structure, the set of numeral-denotations. Consequently, second-order 
theories of data, such as second order Peano Arithmetic, are easily interpretable 
in pure second-order logic [26] . Moreover, the canonical proof system for second- 
order logic, summarized in Table 1, although not semantically complete, has the 
same proof theoretic power as second-order arithmetic. 

Since second-order logic is far more powerful than first-order arithmetic, one 
might expect that it is a less propitious setting than first-order theories for 
characterizing feasible complexity classes and reasoning about them. In fact, the 
opposite is the case. The key parameter for calibrating the power of second-order 
logics is the scope of permissible set-definitions, often referred to as the Com- 
prehension Principle or Set-existence Principle, and expressed by the following 
axiom schema. 

Va;i . . . Xfc R{x) o ip 

Here fc ^ 0, i? is a fc-ary relational variable, and (p is a formula in which R does 
not occur free:^ In natural deduction formalisms the Comprehension Principle 
can be conveyed instead by the rule for second-order V-elimination (or VR for 
sequential formalisms):^ 

VR(fi[R] 

ip[Xxip] 

We can now consider variants of second-order logic where the Comprehension 
Principle is restricted to formulas ip of certain form. For example, restricting set- 
existence to first-order formulas ip conveys the conviction that only sets defined 
by first-order properties are sufficiently well-formed to allow quantification over 
them.^ This is a particularly natural restriction, because allowing ip itself to 
contain a relational quantifier is conceptually circular: the admitted relations ip 
are then defined in terms of quantification over all admitted relations. 

It would seem natural to conjecture that restricting Comprehension to first- 
order formulas yields a formalism closely related to first-order arithmetic. Not 

^ Ip may refer to variables other than xi . . .Xk, and need not refer to of the latter. 

® Here ip[\xip\ stands for the result of replacing every subformula i?(ti . . . t^) of by 
i.e. the result of simultaneously substituting in ip the terms ti . . .tfc for the 
variables xi . . .Xk, respectively. 

^ In model theoretic terms this corresponds to Henkin models that are closed under 
first-order definability; see e.g. [17] for an exposition. 
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Table 1 . Second-order natural deduction: core formalism L2 
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Vo/\Vi 


Vo^Vi 


Vi 


\e\(p 
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1 ^ 

£ a reserved label 


p> 


(fi[z] 


'ixp[x\ 


Vx ^p[x] 

no 2 in open assumptions 


v[t\ 


v[Q] 


yRpiR] 


yRip[R\ 

no Q in open assumptions 


p[\xip] 


L2(C) is L2 with ■)/) G C in relational V-elimination. 

The intuitionistic variant L2 of L2 has the additional inference rule 


T 

V 




The classical variant of L2 has the additional inference rule 






— £ 





SO. The interpretation of second-order arithmetic in second-order logic is possi- 
ble because induction over N is provable: if fV[a:] is the definition above of N, 
then from 7V[a;] one obtains, by Comprehension, particular instances for its set 
quantifier, namely: that if ^ is a property that holds for 0 and is closed under 
successor, then ij; holds for x. In addition, the interpretation relies on a rela- 
tivization of first-order quantifiers to the formula N . Thus, to obtain induction 
for a first-order formula ^/>g of first-order arithmetic, we would need Comprehen- 
sion for the formula ip obtained by relativizing all quantifiers in tpQ to N. But 
since N is not first-order, neither is ip ! Indeed, the Set Existence principle that 
corresponds to first-order arithmetic is analyzed in [15,21], and is far stronger 
than Set Existence for first-order formulas. 

What is, then, the computational complexity corresponding to first-order set 
existence? We show in this paper that it is precisely the Kalmar elementary 
functions, i.e. the functions computable in resources (time and space) of order 
Efc(n), where Eq{x) =df x, and Efe_|_i(a;) =df Setting aside for the mo- 

ment the exact formulation of this correspondence, this result is not altogether 
unexpected. In a certain precise sense, second-order logic with first-order set ex- 
istence is an expressive variant of first-order logic. However, the combinatorics 
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of first-order derivations is fundamentally the same as that of propositional logic 
[28], and normalization for order-bounded fragments of propositional logic is 
elementary. 

Our proof that every function provable using first-order set existence is el- 
ementary indeed follows the outline above. More delicate is the proof of the 
converse. In the first place, one needs to craft a notion of function provability 
within second-order logic which is appropriate for weak set existence princi- 
ples. A methodology for reasoning about computations in higher order logics is 
laid out in [16]. Rather than using syntax coding, as in traditional reasoning 
about computation within Peano Arithmetic and similar first-order theories (see 
e.g. [12,13]), it integrates programs into the logical formalism. However, this ap- 
proach has to be refined when set existence is restricted all the way to first-order 
formulas, because certain basic properties of data that are trivially provable us- 
ing slightly stronger set existence, are no longer available at this level. Indeed, 
we shall show (Theorem 9) that too simple a notion of function provability does 
not even yield a reasonable computational complexity class. 

In recent years a number of approaches have established machine independent 
characterizations of the class of elementary functions (see e.g. [11,1,18,8,22]). 
However, the interest of the present results lies in their being a component of 
a broad and promising methodology, more than in merely offering yet another 
link between logic and the Kalmar-elementary functions. Set-existence principles 
in analysis have been known for almost two decades to provide a methodology 
for classifying the proof theoretic strength of various theorems of mathematical 
analysis; this is the Reverse Mathematics project that has been initiated and 
developed primarily by Harvey Friedman and Stephen Simpson [27]. However, in 
that project the basic theory is primitive recursive arithmetic, thus divorcing the 
it from connections to computational complexity and feasible mathematics. In 
contradistinction, our focus on set-existence principles in second-order logic oSers 
new vistas while preserving the old ones. By the interpretation of second-order 
arithmetic in second-order logic (see e.g. [26]), sufficiently powerful set-existence 
span all the proof theoretic power of second-order arithmetic. However, we are 
in a position to consider very weak comprehension principles, which correspond 
to feasible complexity classes, as shown in [16]. 

More importantly perhaps, the formalisms presented here are promising as 
a conceptually transparent and practically flexible formalization of Kalmar- 
elementary mathematics. The method is generic to all inductive data types®, 
it is axiomatically lean and unobtrusive, and it incorporates equational com- 
puting directly and seamlessly. Moreover, the relation to Kalmar-elementary 
resources is transparent: one can develop virtually all Mathematical Analysis in 
second-order logic, and proceed to identify the Kalmar-elementary portions as 
an afterthought, by inspecting the formulas for which set-existence is used. 



Indeed, it is generic for the broader notion of inductive data-system, see [20]. 



5 
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2 Provable Programs of Higher-Order Logics 

2.1 Second-Order Delineation of Data 

We refer to symbolic data in the guise of inductively generated word algebras. 
We focus on the most fundamental form of symbolic data, the set W =df {a, b}* 
of words over a two letter alphabet. Our treatment can be extended trivially 
to other inductive data types and data-systems (see [20]). We identify W with 
the algebra generated from three constructors, the 0-ary s (the empty string) 
and unary a and b, so e.g. aab is identified with aabe. We write Vq for the 
vocabulary consisting of these three constructors. We dub the closed Vb-terms 
the base-terms. 

Consider second-order logic, obtained by augmenting the syntax of first-order 
formulas with variables ranging over relations, and quantification over such vari- 
ables. It is well-known that inductively generated algebras are second-order de- 
finable. For instance, the natural numbers are second-order definable in the sense 
that in every structure the elements satisfying the following predicate N are pre- 
cisely the denotations of the numerals 0,s(0).... 

N[x] =df VQ ( CW[Q] ^ Q{x) ). 

where 

ClAr[Q] =df Q(0) A Vu(Q(m)-j>Q(s(u))). 

Similarly, in every structure for a vocabulary containing Vq the elements 
satisfying the following formulas W\x] are precisely the denotations of the base 
terms: 

W[x] =df VQ (CV[Q] -)> Q(cc) ), 



where 



G\w[Q] =df Q{e) ^'iu{Q{u)^Q{s^{u))) ^'iu{Q{u)^Q{h{u))). 



2.2 Equational Programs 

As in earlier works, we consider a functional/equational computation model, 
in the style of Herbrand-Godel, familiar from the extensive literature on alge- 
braic semantics of programs. This rudimentary model is particularly suited for 
integration into logic, since its syntax is contained in the syntax of equational 
logic. 

We posit a stock of fresh function identifiers dubbed the program-functions. 
Each program-function is assigned some arity ^ 0.® Consider terms generated by 

® Insisting on positive arities makes no difference, because each constant c can be 
simulated by f(c) for a fresh function identiher f and a 0-ary constructor c. 
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arity-correct application from the constructors, free variables, and the function- 
identifiers.^ A program-body over W is a finite set of equations between terms. A 
program is a pair (P, f) of a program-body P and a program-function f , called 
the program’s principal identifier. We refer to P itself as the program, where 
in no danger of confusion. We write Vp for the vocabulary of P, i.e. the set 
consisting of the constructors and the program-functions of P. 

Given a program P, we write P \~ if if P is a Vp-equation derivable from P 
in equational logic. That is,® 

1. P \- E for every E G P; 

2. P t=t for every Vp-term t; 

3. If P h E then P h {t/u}E for every Vp-term t and variable u; 

4. If Ph {t/u}E and P h t=t', then P h {t'/u}E. 

We say that P is eoherent if P 1;^ t=' for distinct base-terms t,t' G W. 

Each program-function g of arity r induces on W the relation 

=df {(ici . . . G I Ph g{wi . . .Wr)=v}. 

If P is coherent, then each g^ is univalent, i.e. (the graph of) a partial function. 
The function computed by (P, f) is then the partial function f ^ over W. For 
examples of programs see [20]. 

2.3 Simulating Turing Machines 

Let M be a deterministic TM over the alphabet {0, 1}, with states qi . . .q^. 
Assume, w.l.o.g., that M never writes a blank nor moves the head past the first 
blank. Then each tape-configuration of M can be represented by two words in 
{0, 1}: the configuration’s left-word representing the portion of tape preceding 
the reading head, and the right-word, representing the non-blank portion of the 
tape from the head and on (using e in case the head reads the first blank). If we 
code each state Si by some word ffqi = {a,b}*, then a configuration of M with 
state s is represented by ffq, the left-word, and the right-word. 

Let S, L and R be the binary functions over W defined by 

S{w, f) = the code of the state of M '1 

L{w,t) = the left-word > after \t\ steps of M’s run on input w. 

R{w,t) = the right-word J 



Lemma 1 Let M, S, L,R be as above. There is a coherent program (P, R) that 
computes the function R associated with M. 

^ An alternative approach is to have each variable assigned a sort and each program- 
function a first-order type over the sorts, and to reqnire that terms be correctly 
sorted. The two approach are identical in the case of a single sort, and they differ in 
inessential ways for the general case. The present approach is more in keeping with 
a semantic, “Curry-style,” type system. 

® We write {t/x} for the operation of substituting t for x in the argument. 
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Proof. P contains the defining equations for the destructor and case functions, as 
well as the following equations for the program-functions S, L and R, that convey 
the operational semantics of the functions S, L and R, respectively. S{w,e) is 
defined as the code of the initial state, L{w, e) = e, and R{w, e) = w. The 
values of S{w,ct), L{w,ct), and R{w,cf) (where c = a,b) are defined in terms 
of L{iv,t), and R{w,t) according to the transition rules of M, using the 

constructors and the destructor and case functions. 

To see that P is coherent, consider the structure W for the vocabulary Vp, 
obtained by expanding the free algebra W with the intended interpretations of 
the destructor and case functions, and the interpretation of S, L and R as S', L 
and R. Since M is a deterministic TM, these interpretations are functions, and 
so W is a model of P. Since every equation derivable from P is true in W, no 
equation between distinct base-terms can be derived from P. H 

2.4 Models for Programs 

We model equational programs in the vein of universal algebra and the alge- 
braic semantics of programs (see e.g. [23,30,25]). The main concepts go back 
to Birkhoff’s classical development of equational theories and quotient relations 
over free algebras [4]. 

Given a program P over W, let us write P also for the conjunction of the 
universal closures of all equations in P. There is no danger of ambiguity, since 
this convention will apply uniformly to occurrences of P as a logical formula. 
Our canonical model of P, denoted A4(P), has as universe the quotient algebra 
W/(«p), where W(P) is the free algebra generated from the constructors and 
t t' iff P h t=t'. Since «p is an equivalence relation (indeed a congruence 
relation), we write [t]~ (or simply [t]) for the equivalence class of a term t. The 
identifiers of Vp are interpreted in M.{P) in the obvious way; e.g. if f is unary 
then |f]|[t] = [ft]. In particular, for n G N we have [[hj = [n]~, as can be seen by 
induction on n. 

If (j is a substitution of closed Vp-terms for variables,® then we write [ct] for 
the environment over A4(P) defined by [cr]a; = By induction on terms, 

we can verify that \a]t = [at]~, for all Vp-terms t. 

Lemma 2 For every program P, A4(P) ^ P, that is, all equations in P are 
valid in the structure M.[P).^^ H 

2.5 A Logical Rendition of Program Convergence 

For an r-ary function identifier f let 

To<(f) =df 'ix\ . . -Xr- {W[X\] t\ ■ ■ ■ /\W[Xr] VT[f(£c)]) 

® I.e. there is a finite set X of variables such that ax is a closed term for x G X, 
ax = X otherwise. 

As usual, an environment is a mapping from the formal variables to structure ele- 
ments. 

For a proof see [20]. 



11 
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Proposition 3 Let {P, f) be a coherent program, computing a partial function 
f over W. The following conditions are equivalent: 

1. f is total. 

2. Tot{f) is true in every model of P. 

3. Tot{f) is true in the canonical model A4(P). 

Proof. Without loss of generality, let / be unary. 

(1) (2): Suppose >V is a model of P, and assume W[a] where a is an 

element of W. Then a is a denotation of a base-term t. Since / is total, there 
is a complete P-computation terminating with f(t)=t' for some base-term t'. 
Since W is a model of P, and all computation steps are valid inferences from 
P (in equational logic), we obtain W \= f(t)=t'. On the other hand, since t' 
is a base-term, W ^ TT[t']. Put together, we obtain >V [= A[f(t)], i.e. Thus 
W h Tot{U). 

Clearly (2) implies (3), since M{P) is a model of P. 

Finally, to see that (3) implies (1) suppose that M{P) ^ Tot{f). Then, for 
every base-term t there is a base-term t' for which A4(P) ^ f(t)=t'. By the 
definition of A4(P), this means that the equation f(t)=t' is derived from P. 
Thus f'^ is total. H 



2.6 Function Pure-Provability 

Proposition 3 motivates the following definition. 



Definition 4 Let T be a higher-order deductive system over a vocabulary con- 
taining the vocabulary Vp of P. We say that a coherent program {P, f) is purely 
provable in T if Tot[f\ is derivable in T from P. In that case we also say that the 
function f computed is purely provable. 

The deductive systems considered here can be purely logical, e.g. the natural 
deduction formalism laid out in Table 1 above. 

The following proposition illustrates the concept of function provability in 
second-order logic. 



Proposition 5 All primitive recursive functions (over N) are purely provable 
in second-order logic. 

Proof. The initial functions are purely-provable trivially, and the purely-provable 
functions are obviously closed under composition. To see that the purely-provable 
functions are also closed under primitive recursion, let / be defined by 



f{0,x) = go{x) 
f{sn,x) = gs{f{n,x),n,x) 
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where go and Qs are provable. Reasoning within second-order logic, assume that 
n and x satisfy N. From N[n] = VQ C1 at[( 5] — >-(5(n) we conclude, by instantiating 
(5 to the unary relation =df N[/(j/, £c)] A N[?/], 

ClAr[V']-)>^[n]. 

Given that x satisfy N, and that go and gg are purely-provable, it is easy to 
conclude C1 at[i/'], and so tp[n], which concludes the proof. H 

In fact, we have the following result, which is implicit already in [9]. 

Theorem 6 The functions purely-provable in second-order logic are precisely 
the provably recursive functions of second-order arithmetic. 

More generally, for each k ^ 2, the functions purely-provable in k-order logic 
are precisely the provably recursive functions of k-order arithmetic. H 

The proof of Theorem 6 is based on an interpretation of fc-order arithmetic 
in fc-order logic. The crucial aspect of that interpretation is the relativization of 
quantifiers to the predicate N above. The schema of Induction, 

Cl N [Xxif] -^Vx N[x]^ if 

is then provable, by instantiating the relational quantifier in N to Xx.ip. As men- 
tioned in the Introduction above, this translation maps formulas of first-order 
arithmetic to formulas in which quantifiers are relativized to N, i.e. to second- 
order formulas. Indeed, L 2 (FO), where FO is the class of first-order formulas, 
in already much weaker than first-order arithmetic. 

We thus have a methodology for correlating complexity classes with natu- 
ral proof formalism, without explicit use of resource bounds. As the class C of 
formulas is shrinking, the functions provable in L 2 (C) are computationally more 
manageable, leading to a spectrum of purely logical proof theoretic character- 
izations of major complexity classes. Indeed, we showed in [16] that L 2 (Pos), 
where Pos is the class of positive formulas, i.e. without implication or negation, 
is closely related to poly-time. More precisely, for a notion of function provabil- 
ity different from the ones used here, the “provable”-functions of L 2 (Pos) are 
precisely the poly-time functions. The notion of function provability we develop 
here is far preferable to that of [16]. We shall prove elsewhere that the func- 
tions provable in L 2 (Pos), according to our new definition, are also precisely the 
functions in poly-time. 



3 The Purely-Provable Functions of First-Order Set 
Existence 

3.1 Some Examples of Purely-Provable Functions 

It is of interest to note from the outset that the proof of Proposition 5 uses set 
existence for a second-order formula, so it does not establish the pure-provability 
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in Li 2 {FO) of all primitive recursive functions (which indeed does not hold). How- 
ever, we can easily show the pure-provability in Li 2 {FO) of some basic numeric 
functions, such as addition, multiplication, and exponentiation. Our programs 
for addition and multiplication are simply the defining equations for these func- 
tions: 

-b(a;)(0) = X *(x)(0) = 0 

+{x){sy) = s{+{x){y)) *{x)(sy) = +{*{x){y)){x) 

A program for an exponential-growth function that lends itself to a short proof 
is e(0,y) = sy, e{sx,y) = e{x,e{x,y)). This defines the function e{x,y) = 2^ + y. 

To prove the addition function in L 2 (TO) assume N[x] and iV[t/]. To- 
wards proving A^[-|-(a;)(?/)] assume Cljv[Q]. By fV[a;], the latter implies Q{x). 
Instantiating the universal set quantifier of N[y] to the (first-order!) predicate 
'tp^[z\ =df Xz.Q{+{x){z)) we have Cljv['i/'+] -^ip+[y]- From Q{x) and the pro- 
gram for + we obtain V’-i-[0]- From the program and C1 at(Q)) and using equa- 
tional rules, we obtain tp_^_[z] — >■ ^/>_,_[s(z)]. Thus we conclude Cljv[V'-i-]) and so 
’>P+[y]- We have shown C1 at[( 5] — >■ Q(+(x)(j/)) for arbitrary Q, i.e. fV[-|-(x)(j/)] has 
been proved from A^[x] and N[y], 

To prove the multiplication function in h 2 {FO) assume N[x] and N[y], To- 
wards proving N[*{x){y)] assume ClAr[Q]. Instantiating the universal set quan- 
tifier of iV[j/] to the (first-order!) predicate ip^.[z] =df Xz.Q{*{x){z)) we obtain 
CIat)'*/'*] — >■ From (5(0) and the program for * we get tp[0]. Now, towards 

proving ip^[z] — >■ assume Q{*{x){z)). Since 7V[a:] is given we obtain from 

this, as in the proof above for addition, that ( 5 (+(*(a:)( 2 ))(a:)), which by an equa- 
tional rule and the program implies (5(*(a:)(ssz)), i.e. ip^.[sz]. We thus conclude 
CIat)'!/'*], and so ■*/'*[?/]• We have proved C1 at[( 5] — >■ <5(*(a:)(y)) for an arbitrary Q, 
given A^[x] and iV)?/]. 

Finally, to prove the function e in L2(F(9) assume fV[x] and iV[?/]. Towards 
proving N[e{x){y)] assume C1 at[( 5]- Instantiating the universal set quantifier 
of to the predicate i^f.[z] =df Xz.{yu.Q{u) — >■ Q{e{z){u))) we obtain 
ClAr[V'e] V'eb]- Since Q is closed under successor, and e(0)(rt) = su, we have 
5’e[0]. Towards proving tp^[z\^il)J^sz\ assume V’eNi i-®- '^u.Q{u)^Q{e{z){u)). 
Towards proving assume Q{v). From this we get (5(e(2) (?;)). Using ipg[z] 

again, this time with u instantiated to e(z)(w), yields (5(e(2)(e(z)(u)). By the 
program and equational rules we get from the latter (5(e(sz)(u)). We have thus 
proved yv. Q{v) ^ Q{e{z){v)), and so ClN[ipe\- Therefore V’eW- Instantiating u 
in the latter to y yields Q{y) ^Q{e{x){y))). But we have N[y] and C1 at[( 5], from 
which we get Q{y). Thus we proved Q{e{x){y))) from C1 at[( 5], for an arbitrary 
Q. Hence A^[e(a;)(?/))] has been proved from the assumptions A^[a;] and fV[y]. 

Since the purely-provable functions are trivially closed under composition, 
the pure-provability of the function e immediately yields 



Lemma 7 Every elementary function is majorized by a function purely-provable 
in Li2{FO). 
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3.2 Classical vs. Constructive Function Provability 

It is well-known that the functions provably recursive in classical theories, such 
as first and second-order arithmetic, are already provable in their intuition- 
istic counterparts. Analogous results hold for function provability and pure- 
provability. 

Theorem 8 Let C be a class of first-order formulas, with the following closure 
property: if tp' arises from ip G C by double-negating all atomic, disjunctive, and 
existential subformulas, then ip' G C. If (P, f) is a program purely-provable in 
the classical variant L^(C) (see Table 1), then it is purely-provable in L 2 (C). 

Proof sketch. Suppose P,\~ W[x] -G lT[f(a;)] in L^(C). By standard proof 
theoretic analysis, there is a classical deduction of Clw[P] — >■ R{f{x)) from P 
and formulas G\w['Pi\ Vi[x], where tp^ are in C. By standard translations (see 
e.g. SchwichTroel sec 2.3), there is a deduction in minimal first-order logic of 
Clw[“'“'P]— from P and G\w[p'i\ v'AA- 

But Clw[i?] implies, in minimal first-order logic, Clw[-'-'i?], and ip'^ G C hy 
assumption; so ~^^R{f{x)), i.e. (i?(f(x)) — >■ _L) — >■ _L, is derived from P,W[x\ and 
Clw[P] in L 2 (C)- Since there is no rule for _L in L 2 , it can be replaced in the proof 
by i?(f(x)), yielding a proof of Clu/[i?] — >-i?(f(a;)) from P and W[x\. Universally 
closing with respect to R, we obtain the provability of (P,f) in L 2 (C). H 

3.3 Pure-Provability and A-Representability 

We write lA for the (Church-style) simply typed lambda calculus, based on 
abstraction and application only. The types here are generated from a base type 
o by the arrow construction -G. We omit some parentheses by associating arrow 

to the right, and write ri , . . . , — >■ cr for ti — >■ >Tr^o. Each variable comes 

with an assigned type. Terms are formed using A-abstraction and application. We 
optionally superscript terms to indicate their type. Thus we have {Xx'" , 
and F'^Y . We write =p for term /3-equality. 

Base terms of N and W can be usefully represented in lA by abstracting 
with respect to the constructors. E.g. the numeral for 2, ssO, is represented by 
\s°^° z.ssz, i.e. the Church numeral for 2. We denote the Church-numeral for 
n G N by The type of the Church-numerals is thus v = i>[o\ =df (o— >-o)— >■ 
o— >- 0 . 

The A-representation of W is similar: the word w = abbe is represented 
by Xao — >■ obi~^°e° .abbe, for which we write (this construction is due to 
[5]). That is, is obtained from w by treating the identifiers a, b and e as 
variables of the corresponding types, and then A-abstracting with respect to 
these variables. The type of these word-terms is thus lo = u[o\ =df (o-^-o)—)- 
(o— >-o) — >- 0 — >- 0 . 

The constructions above can be restated using any given type t in place of 
the base type o. We obtain then a A-representations nl'^1 for n G N, of type 
and a A-representation wM for w G W, of type w[t]. 
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A A-term is said to Church-represent a function / : N — >■ N if for 

all n G N, =0 (/n)[°l. We then say that / is representable in lA. The 

definition of Church-representability is similar for functions of higher arity, and 
for functions over W. 

Let Ti . . .Tj. be types, and let Vi =df v[Ti\. A A-term is said to 

hroadly-represent a function / : >-N if 

• • • njl'’'' =13 (fni ■ ■ ■ 

(Relaxing the definition to allow the output to have type i>[a] for some a other 
than o makes no difference.) We say that a function g : — >■ N is broadly- 

represented in lA if it is definable by diagonalization (i.e. identifying inputs) 
from a broadly-representable function. The definition for functions over W is 
similar. 

By [29] we know that the predecessor function is not Church-representable 
in lA, from which it follows that subtraction is not broadly-representable. 



Theorem 9 If a function over W is purely-provable in L 2 (FO) then it is broadly- 
representable in the simply typed X-calculus lA. 

Note that, by Lemma 8, it does not matter whether L 2 (TO) is based on classical, 
intuitionistic, or minimal logic. 

Proof Outline. By a deduction-normalization argument it follows that if a 
program (P, f) is purely-provable in li 2 {FO), with f unary say, then (5(f(a:)) is 
provable in first-order logic from Cl[(5] and formulas of the form Cl[i^j] — >■ t^Ja;], 
where are all first-order. This first-order proof maps, under the Curry-Howard 
morphism defined in [20] (which disregards quantifiers and equality), to a term 
of lA that broadly-represents the function computed by P. H 

In fact, we also have the conversed^ 



Theorem 10 All functions broadly-represented in lA are purely-provable in 

UiFO). 

Proof Outline. We generalize the notion of function representation to function- 
als of all types, with, in addition, a distinction between weak representation of 
data (over type o) and a spectrum of strong representations (over types such as 
v[t] and w[r]). This construction is best captured by a notion of tiered functions, 
as defined in [14].^^ One proves then that the tiered functionals represented in lA 

We take the liberty of giving a greatly condensed proof-outline here, since this ob- 
servation and proof, albeit of independent interest, have no bearing on our main 
results. 

Tiered functions underly the characterization of poly-time in [16] and the elementary 
functions in [18]. A variant was used by Bellantoni and Cook to also characterize 
poly-time [2]. 
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are precisely the functionals defined by tiered parametrized-iteration in higher 
type.i'^ 

One then generalizes the notion of pure-provability to functionals of all finite 
types, as follows. The language of L 2 is extended to allow variables for functions 
of all finite type, but with no comprehension principle for these. The notion 
of equational program is also generalized to all finite types. The definition of 
function provability is generalized to all types as follows. Define Tof[x] =df 
fV[x], and =df V/'^ Tot^[f] — >■ Tof[Ff]. A program (P, F), for a 

functional F of type r, is said to be purely-provable if Tof\F] is provable from 
P. 

Finally, one shows that every functional defined by tiered monotonic recur- 
rence is provable. Restricted to first-order types, this is the sought result. H 



4 Function Provability 

4.1 Proving Functions over Rudimentary Data-Axioms 

Theorem 9 shows that the notion of pure-provability, which is natural and satis- 
factory for sufficiently powerful logics, is not appropriate when the logic is weak. 
This can be explained by the fact that data objects are used in computing in two 
orthogonal ways: as structured storage of bits of information, and as template 
that drive iterative constructs. The first aspect is examplified by data-storage 
devices, whose memory architecture may in fact be non-sequential (e.g. hyper- 
cubes). Essential to this role is the ability to (1) recognize the data visited; and 
(2) navigate efficiently within the store, e.g. move forward and backward within 
a linear memory structure (such as strings) . When data is represented as a free 
term algebra, data recognition means simply the detection of the main construc- 
tor of a term, and backward navigation is conveyed by the presence of destructor 
functions. 

In contrast, the use of data as templates for iteration and recursion is umbil- 
ically tied to the inductive construction of data, on which the the second order 
definition of data is based. Data detection and backward navigation can be recov- 
ered, as illustrated by Theorem 6, but at a cost, both logical and computational, 
that is no longer available in weak formalisms. 

In [16] we addressed this issue by considering an asymmetric statement of 
program provability, where the characterization of the input as correct data is 
formally stronger than the characterization of the output as correct data. Here 
we consider instead the inclusion of rudimentary properties of data detection as 
axioms, resulting in a simpler, cleaner, and more useful notions and theorems. 

To focus on the essentials, we continue to refer to the algebra W of words, 
generated from the 0-ary constructor (i.e. constant) s and the unary constructore 

Parameterized iteration, also referred to as monotonic recurrence, disallows refer- 
ence to previous values of the recurrence argument, allowing a definition f{sn,x) = 
5(/(w, x),x), but not is /(sn, x) = g{f{n, x),n, x). 
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a and b. We rephrase the second order definition of data to address the issue of 
navigation directly, and define 

W'[x] =df Vg (C1V[Q] ^ Q(:r) ), 



where 



Cl'^[g] =df Q{e) ^\^u{Q{u)■^Q{^^{u))) ^\^u{Q{u)■^Q{h{u))). 

We redefine the rendition of function totality accordingly: For an r-ary function 
identifier f let 

T'ot'(f) =df 'ixi . . -Xr- {W'[xi] t\ ■ ■ ■ f\W'[xr] VF'[f(a?)]) 

The Rudimentary Theory for W, RT(W), has as vocabulary the constructors 
of W and a unary predicate identifier Wq, intended to range over The 

axioms are: 

- Wo(e) 

- Vx Wo(a;)oWo(ax), Vx Wo(x)o Wo(bx), 

- Det =df Vx ( Wo(x) — >■ ( x=£ V 3y x=a(j/) V 3y x=b(y) ) 



Definition 11 Let (-P, f) he a coherent program over W. Let T be a higher- 
order deductive system over a vocabulary containing the vocabulary Vp. We say 
that P is provable in T if Tot^(f) is derivable in T from RT(W). In that case we 
also say that the function f computed by (P,f) is provable in T. 

The proof of Theorem 8 applies verbatim to function provability, yielding 



Theorem 12 Let C be a class of first-order formulas, with the following closure 
property: if ip' arises from p G C by double-negating all atomic, disjunctive, and 
existential subformulas, then p' G C. If (-P, f) is a program provable in L^(C), 
then it is provable in h 2 {C) . H 



Theorem 13 A function over W is provable in L 2 (FO) (based on classical, 
intuistionsic, or minimal logic) iff it is elementary (in the sense of Kalmar). 

This follows from Propositions 14 and 15 below. 

We use the subscript to disambiguate this primitive identifier from the defined pred- 
icate W. 
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4.2 Function Provability Implies Elementary Complexity 



Proposition 14 If a function over W is provable in L2(F0) then it is elemen- 
tary. 

Proof Outline. As in the proof of Theorem 9, if a program (P, f) over W is 
provable in Li 2 {F 0 ), with funary say, then there is a normal first-order deduction 
V[x], deriving Q(f(x)) from the axioms of RT(W), [Q], and formulas of the 
form where are all first-order. 

Given an input w G W, the deduction T>[w] can be combined with the de- 
ductions of — >■ ^Pi\w], to form a deduction Vfw, that derives Q{f{w)) 

from RT(W) and Cl^[(5]. Since the size of detours (cut-formulas) in P/u, is 
bounded independently of w, Hfw can be normalized, in time elementary in the 
size of w, yielding a closed and normal derivation Since the latter is closed 
and normal (whence also satisfies the subformula property), the axioms RT(W) 
are not used, and the proof consists of equations and implication eliminations 
corresponding to the biconditionals in The value fw can be read-off 

trivially from that derivation. H 



4.3 Elementary Functions Are Provable in L 2 (PO) 



Proposition 15 Every elementary function is provable in L 2 (PO). 

Proof Outline. Let / : W— >-W be Turing-computable in elementary time. By 
the proof of Proposition 1, there is an equational program (P, R) referring to 
program-functions R, L and S, and such that f{x) = R{t,x) for all t exceeding 
some T{x), where T is elementary, and R is the function computed by (P, R). 
By Proposition 7 we may assume that T in (purely-) provable in L 2 (PO); in 
particular, f{x) = R{T{x),x). 

It therefore suffices to show that the function R{t,x), i.e. the program 
(P, R), is provable. Assume W'[t] and IF'[a;]. Towards proving W'\^{t,x)\ as- 
sume Cl)y[(5]. Instantiating the relational quantifier in W'[t] to 

^[z] =df (5(R(z,a;)) A (5(L(z,a;)) A Wo(R(z,a;)) A Wo(L(z,x)), 

we have Cl(y [i/>] — >■ i/’ [t] . 

We show Cl^y)!/;]. From W'[x\ and Cl)y[(5] we have Q{x), from which \j}[e\ 
follows. Using Cl(y[Q] and all axioms of RT(W), we obtain 'tp[w\ and 

tp[w]e^tp[hw]. We thus have [i/i] , and therefore tp[t]. In particular, Q(R(t, x)). 

Since Q is arbitrary, we conclude W'[R{t,x)\, concluding the proof. H 
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Abstract. The calculus of structures is a framework for specifying log- 
ical systems, which is similar to the one-sided sequent calculus but more 
general. We present a system of inference rules for propositional classical 
logic in this new framework and prove cut elimination for it. The sys- 
tem enjoys a decomposition theorem for derivations that is not available 
in the sequent calculus. The main novelty of our system is that all the 
rules are local: contraction, in particular, is reduced to atomic form. This 
should be interesting for distributed proof-search and also for complexity 
theory, since the computational cost of applying each rule is bounded. 



1 Introduction 

When implementing inference systems, in a distributed fashion especially, the 
need to copy formulae of unbounded size is generally considered problematic. In 
the sequent calculus, it is caused by the contraction rule, e.g. in Gentzen’s LK 
[ 2 ]: 

r h #,A, A 
r h #, A 

Here, going from bottom to top in constructing a proof, a formula A of un- 
bounded size is duplicated. Whatever mechanism performs this duplication, it 
has to inspect all of A, so it has to have a global view on A. While this can 
be taken for granted on a single processor system, it is harder to achieve on a 
distributed system, where each processor has a limited amount of local memory. 
The formula A could be spread over a number of processors. In that case, no 
single processor has a global view on A. 

Let us call local those inference rules that do not require such a global view 
on formulae of unbounded size, and non-local those rules that do. Besides con- 
traction, another example of clearly non-local behaviour is provided by the pro- 
motion rule in the sequent calculus for linear logic [3] . To remove an exclamation 
mark from one formula, it has to check whether all formulae in the context are 
prefixed with a question mark. The number of formulae to check is unbounded: 

h A,?Bi,...,?B„ 
h iA,VBi,...,VB„ 
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While there are methods to solve these problems in the implementation, an 
interesting question is whether it is possible to solve them proof-theoretically, 
i.e. by avoiding non-local rules altogether. This question is answered positively 
in this paper for the case of classical propositional logic. The predicative case is 
work in progress and is sketched in the conclusion. 

Locality is achieved by reducing the problematic rules to their atomic forms. 
This is not entirely new: there are sequent systems for classical logic in which 
the identity axiom is reduced to its atomic form, i.e. 



A\- A is admissible for aha, 

where a is an atom. However, we do not know of any sequent system in which 
contraction and weakening are admissible for their atomic forms. In fact, we 
believe that such a system does not exist. To achieve our goal, we depart from 
the sequent calculus and employ the recently conceived calculus of structures 
[5]. In contrast to the sequent calculus, it does not rely on the notion of main 
connective and permits the application of rules anywhere deep inside a formula, 
exploiting the fact that implication is closed under disjunction and conjunction. 
This ability is crucial for the rules of our system. The calculus of structures has 
already successfully been employed in [7] to solve the problem of the non-local 
behaviour of the promotion rule. 

This paper is structured as follows: first, we introduce basic notions of the 
calculus of structures. Then we present our system, named SKS, and argue that 
its rules are local. We prove that it is equivalent to the Gentzen-Schiitte for- 
mulation of classical logic, prove cut elimination and state two decomposition 
theorems for derivations. In the end, some open problems are identified. 

2 Structures and Derivations 

Definition 2.1. There are infinitely many literals. Literals, positive or negative, 
are denoted by a, 6, .... There are two special literals, true and false, denoted 
t and f . The structures of the language KS are generated by 

5::=a| [S^_^] \ {S^_^)\S , 

>0 >0 

where [5i, . . . ,Sh] is a disjunction and (5i, . . . ,Sh) is a conjunction. S is the 
negation of the structure S. Structures are denoted by S, P, Q, R, T, U, V 
and W. Structures with a hole that does not appear in the scope of a negation 
are denoted by S{ }. The structure i? is a substructure of S{R}, and S{ } 
is its context. We simplify the indication of context in cases where structural 
parentheses fill the hole exactly: for example, 5[i?,T] stands for 5{[i?,T]}. 
Structures are considered to be syntactically equivalent modulo the relation =, 
which is the smallest congruence relation induced by the equations shown in Fig. 
1, where R and T stand for finite, non-empty sequences of structures. 
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Constants 



Associativity 


[f,R] 


= [R] 




[R, [T]] = [R,T] 


(t,R) 


= (R) 




(R, (T)) = (R,T) 

Commutativity 


Negation 


t = f 




[R,T] = [T,R] 
(R,T) = (T,R) 




f = t 






■ ■ ,Rh] = (Ri, ■ 


■ - ,Rh) 


Singleton 




■ ■ ,Rh) = [fii, . 


■ - ,Rh] 


II 

II 




R = R 





Fig. 1. Syntactic equivalence on structures 



Structures are somewhere between formulae and sequents. They share with 
formulae their tree-like shape and with sequents the built-in, decidable equiva- 
lence modulo associativity and commutativity. Structures have a normal form, 
unique modulo commutativity, where negation only occurs in the form of nega- 
tive literals and all constants that can be removed are removed. In all inductive 
arguments to come, structures are considered to be in normal form. 

Definition 2.2. An inference rule is a scheme of the kind 

S{T} 

^ S{R} ’ 

where p is the name of the rule, /SIT} is its premise and is its conclusion. 

The context S{ } may be empty. In an instance of p, the structure taking the 
place of R is called redex and the structure taking the place of T is called 
contractum. A (formal) system ^ is a set of inference rules. 

Definition 2.3. A derivation Zi in a certain formal system is a finite chain of 
instances of inference rules in the system: 

T 

7t' — 

V 

7T — 



A derivation can consist of just one structure. The topmost structure in a deriva- 
tion is called the premise of the derivation, and the structure at the bottom is 
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called its conclusion. A derivation A whose premise is T, whose conclusion is R, 

T 

and whose inference rules are in ^ will be indicated with . A proof U in 

R 

the calculus of structures is a derivation whose premise is t. It will be denoted 



by 



n\\y 



R 



. A rule p is strongly admissible for a system ^ if p ^ ^ and for every 



instance of p — there is a derivation a|| . A rule p permutes over a rule tt (or 

^ R 

T T 

TT — p — 

7T permutes under p) if for every derivation U there is a derivation V for 

p — 7T — 

R R 

some structure V. 



3 System SKS 

System SKS is shown in Fig. 2. The first S stands for “symmetric” or “self-dual”, 
meaning that for each rule its dual (or contrapositive) is also in the system. The 
K stands for “klassisch” as in Gentzen’s LK and the last S means that it is a 
system on structures. 

The rules aij,, s, m, awj,, acj, are called respectively atomic identity, switch, 
medial, atomic weakening and atomic contraction. Their dual rules carry the 
same name prefixed with a “co-” , so e.g. aw^ is called atomic co-weakening. The 
rule ait is special, it is called atomic cut. Rules aij,, awj,, acj, are called down-rules 
and their duals are called up-rules. 

Note that no rule requires the duplication or the comparison of structures 
of unbounded size. The atomic rules only need to duplicate or compare literals. 
The two rules that involve structures of unbounded size are m and s. Since they 
do not duplicate or compare the structures held by R, T, U and V, there is no 
need to inspect those structures at all. Consider structures represented as trees 
in the obvious way. Then the switch rule can be implemented by changing the 
marking of two nodes and exchanging two pointers (similarly for medial): 



^[ ] S{) 




( ) T ; [ ] u 




R U R T 



In the sequent calculus, a logical rule gives meaning to the main connective of a 
formula by saying that the formula is provable if certain immediate subformulae 
are provable. During a proof-search, formulae successively get decomposed, with 
their main connectives disappearing. 
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The rules switch and medial of system SKS do not fit into this scheme. Not 
only are they applicable deep inside a formula (or structure, for that matter), 
there also is no main connective that is removed. While there is a connection 
between the switch rule and the RA rule in the sequent calculus (cf. the proof of 
Theorem 4.2), the medial rule bears no resemblance of any sequent calculus rule. 
Its premise is a disjunction and its conclusion a conjunction. This is impossible 
in the sequent calculus, where the conclusion of a rule is always a disjunction (a 
sequent) and the premise of a rule is either also a disjunction (for single premise 
rules) or a conjunction (for two premise rules, since the two premises are logically 
in a conjunction). 

Remark 3.1. When talking about derivations, taking the dual means turning 
them upside-down, thereby exchanging premise and conclusion, and replacing 
each connective and constant by its De Morgan dual. For example 

{a,b, [a,b]) 

_ {b, [{a,a),b]) 

[(a,a),(b,b)] 

( 6 , 6 ) 

is dual to ait — ^ — 

While atomic rules are good e.g. from the point of view of mechanized proof- 
search, they are cumbersome for a user of the system. Of course, it should be 
possible to contract and weaken on arbitrarily large formulas, just as it should 



t 

[b,b] 

^ {[a, a], [ 6 , 6 ]) 

[6, ([a,d],6)] 

s — 

[a, 6, (a, 6)] 
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Fig. 3. General identity, weakening, contraction and their duals 



be possible to introduce arbitrarily large lemmas through the cut rule. Figure 3 
shows the general, i.e. non-atomic, versions of the atomic rules in SKS. The 
following theorem shows that they can be used. 

Theorem 3.2. General identity, weakening, contraction and their duals, i.e. the 
rules {ij,, it, wj,, wt, cj,, ct} are strongly admissible for system SKS. In particu- 
lar, the rules it, wj, and cj, are strongly admissible for {ait, s), jawt, act) and 
{act, iTTi), respectively. Dually, the rules i{, w{ c{ are strongly admissible for 
{ait, s), {awt,act} and {act, m), respectively. 

Proof. We will show strong admissibility of the rules {it, wt, ct) for the respec- 
tive subsystems of SKS. The proof of strong admissibility of their co-rules is 
dual. 

Given an instance of one of the following rules: 

5{t) ^ S'tf) ^ S[R,R] 

S[R, R] ’ S{R} ’ S{R} ’ 

construct a new derivation by structural induction on R: 

1. i? is a literal: Then the instance of the general rule is also an instance of its 
atomic form. 

2. R = [P,Q], where P ^ ^ ^ Q: Note that [f,f] = f. Apply the induction 
hypothesis respectively on 



,{ 

s 

s 






5[Q,Q] 



5([P,P],[Q,Q]) 

S[Q,([P,P],Q)] 



w{ 

w{ 



5[P,Q] 



c{ 



S[P,P,Q,Q] 



c{ 



S[RP,Q] 



S[P,Q,{P,Q)] 



S[P,Q] 
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3. R = (P,Q), where P ^ t ^ Q: Apply the induction hypothesis respectively 
on 



'^5([P,P],[Q,Q]) 
" 5[Q,([P,P],Q)] 
" S[P,Q,{P,Q)] 



act 

wt 

wt 



S{P,Q) 



ct 



5[(P,Q),(P,Q)] 
S{[P,P],[Q,Q]) 
S{[P,P],Q) 
S{P,Q) 



ct 



Example 3.3. Here are two proofs, one using the general rules, the other one 
in SKS, i.e. without using the general rules: 



t 



' [[a,b]Aa,b)] 

[{[a,b,c,d],[a,b]),{a,b)] 



and 



t 



■ I L-1 "J 

[b, {[d,a],b)] 

s — 

[a,b,{a,b)] 

act 

[g, (b,b), (g,b)] 

^ [(a,g), {b,b), {a,b)] 

[{[d,b]Ad,b])Aa,b)] 

[{[d,b,c],[d,b]),{a,b)] 

[{[d,b,c,d],[d,b]),{a,b)] 



4 Equivalence to Classical Logic 



In this section we will see translations between system SKS and system GSlp, 
a Gentzen-Schiitte formulation of classical logic [8]. Derivations in GSlp are 
translated to derivations in SKS (without introducing cuts), and proofs in SKS 
are translated to proofs in GSlp (possibly introducing cuts). Cut elimination for 
SKS is a consequence of these translations and cut elimination in GSlp. 



System GSlp is shown in Figure 4. Its formulae are denoted by A and B. They 
contain negation only on atoms. Sequents are denoted by A or by h Ai, . . . , A/j , 
where h > 0. Multisets of formulae are denoted by # and Derivations are 
El ■ ■ ■ Eh 



denoted by A or 




, where h > 0, the sequents Ei,...,Eh are the 



A 



premises and E is the conclusion. Proofs are denoted by II. 
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A, A 



^ \-$,A h <F, A 

Cut 

I- 



h A 
I- #,AVB 



h A V B 



h#,B 

h A A B 



h A 



Fig. 4. GSl p: classical logic in Gentzen-Schiitte form 



Definition 4.1. The functions . and . ^ given below transform formulae in 
GSlp into structures and vice versa: 

a = a 

— K _ 

„ — „ t = a* V a* 

^ -K 

AV = [^ 3 ,:^], f^ = a* Ad* 

AAbI = (X,X) L^k = 

(R,T) = BAT, 

where a* denotes a fixed arbitrarily chosen atom. The domain of . is extended 
to sequents by = f and \- Ai,. . . , Ah^ = [ Ai^ , . . . , AhJ \ , where h > 0. 

Si ■ ■ ■ Sh 

Theorem 4.2. For every derivation in GSl p there exists a derivation 

r 

( X, , • • • , Sh^ ) 
in SKS IlSKS 

Proof. By structural induction on A. 

Base Cases 

t 

If Zi = T, take E , otherwise, if Zi = Ax ^ then take ij, — — 

I , .^4 i 5 .^d j 



Inductive Cases 



We show the case where zi = 



••• S', S'! ■■■ S'/ 



h#,zd h<?,B 



. The translations for 



\-^,AAB 

other cases can be done in a similar way. By inductive hypothesis, we have the 
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following derivations: 



zli||sKS zl2||sKS 



Ai;A 2 ||sKS 



cl 






Corollary 4.3. If h A is provable in GSlp then h is provable in SKS. 
Theorem 4.4. If P is provable in SKS then h is provable in GSlp. 

TtYsKS 

Proof. Let P = S{R} and S{T} be its proof in SKS. The proof of this theorem 
is based on a known property of GSlp, that is, if h i? ,T is provable then so is 
Base Cases 



Ax- 



h a*, a* t 

If i7 = t then take RVl; RVr , otherwise, ii II = ail - 

ha*Va*,a*Va* [a, a] 

a* V a* 

then take the same derivation, but with a* replaced by a. 

Inductive Cases 

We assume that 5'{T} is provable in GSlp. By using the cut rule, we get 



Cut 



h5m h5{i?L,5{T} 



h S{R} 



It is enough to show that h i? ,T is provable. 



S{[U,V],W) 

We show the case for p = s . The property holds for the rest of the 

S[{U,W),V] 

rules of SKS as well, as can easily be verified. 



Ax- 



RW^ 

RA- 



\-U ,U 



Ax- 



RW^ 



hV" ,v 

K K 



\-u ,u ,v ,w 



■K ' K ' K ' K 



'rV ,V ,U ,W 

K K K K 



RA- 



\-U ,V ,U AV ,W 

■K ’ K ’ K K ’ K 



RW^ 



,W 



hW ,W ,V ,U AV 

k’ k’ k’ K 



RVl"; RVr" 
RC" 



hP AW ,V ,U AV ,W 

U' U' ' U' ' U' U' ' 



•K ' K ' K K ' K 



\-(U AW )VV ,(U AV )VW ,(U AW )VV ,(U AV )VW 
h([7 AW )\/V ,(U AV )\/W 

' k" k'x !<•' ' k" k'x k" 
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The rule p" denotes n applications of p. □ 

Cut elimination for SKS can be obtained by using the above translations: 
Given a proof U in SKS, we can transform it to a proof 77' in GSlp and eliminate 
all the cuts there. The resulting cut-free proof in GSlp can then be translated 
back to a proof 77" in SKS. The complete case analysis of the proof of Theorem 
4.2 shows that this transformation does not produce new cuts, and hence 77" is 
a cut-free proof in SKS. 

5 Cut Elimination and Decomposition 

There is a very natural way of proving cut elimination for system SKS by using 
semantics, using the idea employed in [8] for the system G3. The proof actually 
gives us something more than just cut elimination, it eliminates all up-rules and 
also yields a decomposition of proofs into separate phases. 

Theorem 5.1 (Cut Elimination, semantically). 

Tsks 

For every proof there is a proof 

S S' 

1 1 {s,ac4,, m } 

5 

Proof. Consider the rule distribute 

S{[R,T],[R,U]) 

^ S[R,{T,U)] ’ 

which can be realized by a contraction and two switches: 

_ 5([77,T],[77,7/]) 

y[R,([R,T],U)] 

" 5 [77, 77, (T,7/)] 

S[R,(T,U)] 

and thus by Theorem 3.2 is strongly admissible for {s, acj,, m). Build a derivation 
S' 

II {d 4 .} , by going upwards from S applying dj, as many times as possible. Then 
S 

S' will be in conjunctive normal form, i.e. 

S' = ([oii, Oi2, . . .] , [u21, 022, •••],■••, [Onl, On2, • • •]) • 

S is valid because there is a proof of it. The rule d j, is invertible, so S' is also valid. 
A conjunction is valid only if all its immediate substructures are valid. Those 
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are disjunctions of atoms. A disjunction of atoms is valid only if it contains an 
atom a together with its negation a. Thus, more specifically, S' is of the form 

Oi 2 , • • •] , [ 62 , 62 , 021 , 0,22, •••],•••, [bn,bn,Onl, On2, • • •]) 

Let S" = ([61,61], [62,62], • • • , [6„,6„]) . 

TT 

Obviously, there is a derivation [[{aw^} and a proof . □ 

S' S" 

Let us call system KS the rules shown in Fig. 5. We know that for proof-search 
in SKS system KS is sufficient: 



Corollary 5.2. For every proof 

S S 

As a result of cut elimination, sequent systems fulfill the subformula property. 
Our case is different, because our rules do not split the derivation according to 
the main connective of the active formula. However, system KS satisfies the main 
consequence of the subformula property: no new atoms have to be introduced in 
proof-search, i.e. the branching of the search tree is finite. 



SKS 



there is a proof 



KS 




Given that in system SKS the identity is a rule, not an axiom as in the 
sequent calculus, a natural question to ask is whether the applications of the 
identity rule can be restricted to the top of a derivation. For proofs, this question 
is already answered positively by Theorem 5.1. It turns out that it is also true 
for derivations. Because of the duality between ai j, and ait we can also push the 
cuts to the bottom of a derivation. While this can be obtained in the sequent 
calculus (using cut elimination), it can not be done with a simple permutation 
argument. 

We first reduce atomic identity and cut to shallow atomic identity and cut, 
the following rules: 



ais j. 



(5, [a, a]) 



and 



aist 



['S', {a, a)] 

S 
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Lemma 5.3. The rule aij, is strongly admissible for {aisj,,s}. Dually, the rule 
ait is strongly admissible for {aist,s}. 

Proof. By an easy structural induction on the context 5{ }. Details are in [1]. 

□ 

Theorem 5.4 (Decomposition: separation of identity and cnt). 

T 

II {-t} 

T V 

For every derivation ||sks there is a derivation ||sKS\{ai4.,ait} . 

R U 

||{='t} 

R 

Proof. By Lemma 5.3 we can reduce atomic identities to shallow atomic identi- 
ties and the same for the cuts. It is easy to check that the rule aisj, permutes over 
every rule in SKS and the rule aist permutes under every rule in SKS. Instances 
of aisj, and aist are instances of aij, and ait, respectively. □ 

Contraction allows the repeated use of a statement in a proof by allowing to 
copy it at will. It should be possible to copy everything needed in the beginning, 
and then go on with the proof without ever having to copy again. This intuition 
is made precise by the following theorem and holds for system SKS. We do 
not know of such a result for the sequent calculus. There are sequent systems 
for classical propositional logic that do not have an explicit contraction rule, 
however, they treat the context additively, so contraction is “built-in” and used 
throughout the proof. 

Theorem 5.5 (Decomposition: separation of atomic contraction). 

T 

II {-t} 

T V 

For every derivation ||sks there is a derivation ||sKS\{ac4.,act} . 

R U 

I {=4} 

R 

Proof. The obstacles to permuting up the instances of act and down those of acj, 
are identity and cut, respectively. The solution is to turn the derivation into a 
proof, eliminate the cuts, turn the proof into a derivation again (using one cut), 
and then permuting up or down the contractions. The proof can be found in 
[ 1 ]. □ 

6 Conclusions and Open Problems 

We have presented SKS, a system of inference rules for classical logic in the 
calculus of structures. Its main novelty is that all rules are local and their com- 
putational cost can thus be bounded. To achieve this, the greater expressivity 
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of the calculus of structures wrt. the sequent calculus was used, in particular 
its ability of making deep inferences. We proved cut elimination for system SKS 
which makes it suitable for proof-search. Actually, a subset KS of inference rules 
is already complete. We have also shown properties of our system that seem not 
to hold for any sequent presentation of classical logic, that is, strong admissibility 
of cut, weakening and contraction for their atomic forms and the decomposition 
theorems for derivations. 

The main open problem is a more powerful decomposition theorem. To that 
end, let us call core those rules in the system that are necessary for decomposing 
the general cut into atomic cuts. In SKS, the core consists of one single rule: the 
switch. Can we separate out, i.e. push above the identities or below the cuts, 
anything that is not core? 



T 

II non-core 
Ui 

||{-f} 

T Uz 

Conjecture 6.1. For every derivation ||sks there is a derivation ||core 

R U 2 

II Mi 

Ui 

II non-core 
R 

This conjecture has been proved for two other systems in the calculus of 
structures [6] and this led to cut elimination. In these cut elimination proofs, 
atomic cuts are seen as instances of a super atomic cut, which is then pushed up 
all the way through the proof until it hits an identity that makes it disappear. 
In system SKS, such a super atomic cut cannot be pushed up over the rules acj, 
and m. Cut elimination would be much easier to prove syntactically could we 
rely on Conjecture 6.1. Then all the problematic rules that could stand in the 
way of the cut are either below all the cuts already or at the top of the proof and 
thus trivial, since their premise is t. Cut elimination is thus an easy consequence 
of such a decomposition theorem. Note that the proof of Theorem 5.5 falls short 
of simplifying a syntactical proof of cut elimination not only because instances 
of the rule m remain above the cuts, but also because it uses cut elimination. 

Modularity We have proved cut elimination for system SKS, but we have no 
syntactic proof inside the calculus of structures, i.e. without detour through the 
sequent calculus and without resorting to semantics. We are interested in such 
a proof because it can be modular, contrary to cut elimination proofs in the 
sequent calculus, cf. Girard [4] p.l5. This modularity stems from the fact that 
due to atomicity of the cut, cut elimination in the calculus of structures is not 
a nested induction taking into account the cut rank; instead it is based on a 
number of lemmas about permutability of rules wrt. one another (for a rather 
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general notion of permutability) . Those lemmas of course are not affected when 
new rules are added to the system. 

Predicative logic We are currently investigating the following extension of system 
SKS to predicative logic: adding quantifiers to the language in the obvious way, 
adding the corresponding De Morgan laws and the equation 

'ixR = 3xR = R if a; is not free in J?, 

and adding the rules from Fig. 6. Very roughly, rules {uj,, ut} correspond to the 
RV rule in GSl while rules {nj,, nt} correspond to R3. The rules {cej,, cet, caj,, cat} 
are just needed to reduce contraction to its atomic form. For proofs, the up-rules 
{n}, u}, ce}, ca}} are admissible. A nice common feature of all these rules is that 
their premise implies their conclusion (literally, without any added quantifica- 
tion) . This is not true of any sequent calculus presentation known to us because 
of the RV rule. 

We do not claim that this system is local. In the rule n} a term t of un- 
bounded size is copied into an unbounded number of occurrences of x in R. 
Maybe unification could be incorporated into the system to deal with this in a 
local manner, but we have not explored this option. The question is whether this 
can be done without losing the good properties, cut elimination especially. 



S{^x[R,T]} 
S[\/xR, 3xT] 



uf 



S(3xR,\/xT) 

S{3x{R,T)} 



nj. 



t]} 



nt 



t]} 



cej. 



5[3a:i?, 3xT] 
5{3a:[i?,T]} 



S{\fx{R,T)} 

S{\/xR,\/xT) 



caj. 



S[\/xR,\/xT] 



5{3^:(i^,T)} 

cat 

S{3xR,3xT) 



Fig. 6. Extension to predicative logic 



Semantics for derivations Structures are in a one-to-one correspondence with 
traces [5] that are graphs with colored edges satisfying certain simple properties. 
The atom occurrences of a structure are the nodes of its trace and the colors of 
the edges are determined by the logical relation between the atom occurrences. 
In [5] it is shown that the switch rule can be characterized in terms of conditions 
on traces. Those conditions can be checked locally in the sense that they involve 
at most four atoms at a time. 

The question is whether the rule m can be characterized in the same way. 
This would be a step towards a distributed system in which proof-search is driven 
by pairs of complementary atoms, comparable in spirit to the connection method 
[9]. At present, however, this question is entirely open. 
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Hopefully, trace semantics can help in understanding derivations. Given the 
existence of a derivation in a subset of SKS from a known S to an unknown T, 
what is the relation between (the traces of) S and T? What can be inferred 
about T, i.e. what graph-theoretic properties on traces are preserved by the 
inference rules? By classical semantics we know that all of them preserve truth 
(successful valuations). The problem is that this does not tell us much about 
T, in particular it tells us nothing about atom occurrences, their number, and 
their logical relations. A better understanding of this would also help in finding 
a decomposition theorem as sketched in Conjecture 6.1. 
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Abstract. Quantified Boolean formulae offer a means of representing 
many propositional formula exponentially more compactly than propo- 
sitional logic. Recent work on automating reasoning with QBF has con- 
centrated on extending the Davis-Putnam procedure to handle QBF. 
Although the resulting procedures make it possible to evaluate QBF 
that could not be efficiently reduced to propositional logic (requiring 
worst-case exponential space), its efficiency often lags much behind the 
reductive approach when the reduction is possible. We attribute this in- 
efficiency to the fact that many of the unit resolution steps possible in 
the reduced (propositional logic) formula are not performed in the cor- 
responding QBF. To combine the conciseness of the QBF representation 
and the stronger inferences available in the unquantified representation, 
we introduce a stronger propagation algorithm for QBF which could be 
seen as partially unfolding the universal quantification. The algorithm 
runs in worst-case exponential time, like the reduction of QBF to propo- 
sitional logic, but needs only polynomial space. By restricting the al- 
gorithm the exponential behavior can be avoided while still preserving 
many of the useful inferences. 



1 Introduction 

Quantified Boolean formulae are a generalization of the satisfiability problem of 
the propositional logic that allows a more concise representation of many classes 
of formulae. The additional conciseness lifts the complexity of evaluating QBF 
to PSPACE-complete, which is in strong contrast to the NP-completeness of 
propositional satisfiability. However, the connection between the two problems 
is close, and not surprisingly some of the recent procedures for evaluating QBF 
are extensions of the Davis-Putnam procedure [Ij. An alternative solution 
technique is to reduce a QBF to an unquantified propositional formula, and to 
test its truth by a conventional satisfiability algorithm. The drawback of this 
reductive approach is that the size of the propositional formula is worst-case 
exponential in the size of the QBF, which usually makes it impractical for all 
but the simplest QBF. 

A problem with the extensions of the Davis-Putnam procedure to QBF is 
that many of the unit resolution steps that would be possible with the reduced 
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formula do not take place. For restricted types of QBF, when the number of 
quantifier alternations is small, this problem has been partially overcome [20j . 

In this paper we attempt to provide a more general solution to this prob- 
lem. The solution departs from earlier work on evaluating QBF in that the 
binary search algorithm is combined with a propagation algorithm that runs in 
exponential time in the size of the QBF. In general, algorithms for intractable 
problems have a restricted number of sources of non-polynomial behavior, and 
it is not a priori clear that using an exponential time subprocedure is sensible. 
Therefore, we present techniques for avoiding the exponentiality of the propa- 
gation algorithm to make the algorithm more practical. Our hypothesis is that 
the exponential reduction in problem size, due to the use of QBF instead of 
an equivalent unquantified formula, justifies a more expensive propagation algo- 
rithm. We also believe that in some cases even an exponential time propagation 
algorithm could be justified. The algorithm can be viewed as a conventional unit 
propagation algorithm for a QBF representation of unquantified clause sets. 

The structure of the paper is as follows. In Sect. |H we discuss the computa- 
tional problem in detail by giving practically motivated examples of QBF that 
are very difficult for the current QBF algorithms. In Sect. Owe outline the prop- 
agation algorithm, and in Sect. El we propose improvements and give a restricted 
variant of the algorithm that runs in polynomial time. Sect.|7]gives a preliminary 
experimental analysis of the algorithm, and Sect. [S] discusses related work. 

2 Preliminaries 

Quantified Boolean formulae are of the form qiXi ■ ■ ■ qnXn<i> where ^ is a proposi- 
tional formula and the prefix consists of universal V and existential 3 quantifiers 
qi and the propositional variables Xi occurring in (j). Define (j)['il)/x] as the formula 
obtained from (f> by replacing occurrence^ of the propositional variable x by the 
formula tp. The truth of formulae is defined recursively as follows. The truth of 
a formula that does not contain variables, that is, that consists of connectives 
and the constants true T and false T, is defined by the truth-tables for the 
connectives. A formula 3x(j) is true if and only if 4>\T /x\ or (P[3l/x\ is true. A 
formula 'ix4> is true if and only if (j)\T /x] and <p[3-/x\ are true. Examples of true 
formulae are 'ix3y{x O y) and 3x3y{x A y). The formulae 3x'iy{x O y) and 
\/x\/y{x\/ y) are false. Changing the order of two consecutive variables quantified 
by the same quantifier does not affect the truth-value of the formula. It is often 
useful to ignore the ordering of consecutive variables and view each quantifier as 
quantifying a set of formulae, for example 3xiX2^yiy24>- 



3 The Extension of the Davis-Putnam Procedure to QBF 

We have designed and implemented an algorithm that determines the truth- 
value of quantified Boolean formulae [20]. The Davis-Putnam procedure jj] is a 

^ We assume that nested quantifiers do not quantify the same variable. 
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special case of the algorithm. The main differences are that instead of only or- 
nodes, the search tree for quantified Boolean formulae contains also and-nodes 
that correspond to universally quantified variables, and that the order of the 
variables in the prefix constrains the order in which the variables generate a 
search tree. The algorithm takes as input formulae in which all quantifiers are 
in front of the formulae and the body is in conjunctive normal form. 

The main procedure of the algorithm sketched in Fig. [T] takes three parame- 
ters H The variable e is true if the first quantifier in the prefix of the formula is 
3. The sequence (Vi, . . . , Vj,) represents the prefix. For example, if the prefix is 
then V\ = {x\,X 2 }, V 2 = {a^s} and V 3 = {X 4 }. The set C consists 
of clauses {li, . . . , Z„} where n > 0 and k are literals. The empty clause 0 is false. 



PROCEDURE decide(e, (Vi, F 2 , . . . , K), C) 

BEGIN 

C := unit(C); 

IF^€C then return false; 

IFn = Q THEN RETURN true; 

remove from Vi all variables occurring in a unit clause in (7; 

IF Vi=0 THEN 

RETURN decide(not e, {V 2 , • • • , K), C); 

X := a member of Vi; 

Fi - Fi\{x}; 

IFe THEN 

IF decide(e, (Fi, . . . , F„), C U {{x}}) 

THEN RETURN true; 

ELSE 

IF not decide(e, (Fi, . . . , F„), C U {{x}}) 

THEN RETURN false; 

RETURN decide(e, (Fi, . . . , F„), C U {{^x}}) 

END 

Fig. 1. The extension of the Davis-Putnam procedure to QBF 



The subprocedure unit performs simplification by unit resolution and unit 
subsumption; unit(S') is defined as the fixpoint of F under a set S of clauses. 

F{C) = {c\{Z}|c e C, {1} eCJec} 

U {c S C\l ^ c and I ^ c for all {^} G C} 

U {{1} G C} 



^ The algorithm is simplified because we just want to indicate what the main differ- 
ences to the Davis-Putnam procedure are. For example, we do not require that the 
variable x does not have a truth-value when it is branched on. 
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4 Motivating Examples 

First we give simple examples illustrating which unit propagations are not per- 
formed by the Davis-Putnam QBF procedure of Section [3l and then we show 
a practical example of a class of formulae that are equivalent to exponentially 
bigger propositional formulae, and for which the lack of unit propagations makes 
even small formulae very difficult. 

Example 1. Consider the QBF 3x'iy3z{y ^ z ^ x). By considering the case 
when the universally quantified variable y gets the value true, one sees that also 
X has to be true. That this kind of reasoning may speed up evaluation of QBF 
considerably is shown by Rintanen m- 

The above line of reasoning often allows inferring some of the truth-values 
of the outermost variables in the Davis-Putnam QBF procedure. For QBF with 
prefix 3V3, considering all valuations of the universal variables allows performing 
all the desired unit propagation steps However, when the prefix contains more 
than one block of universal variables, this is not the case. 

Example 2. Consider the QBF 3aV63xia::2V?/3ziZ2((j/— >-zi) A {zi^xi) A ((-■?/ A 
a^i) — >■ Z2) A {z2 — >■ X2) A ((xi A X2 A 6 ) — >■ a)). Unlike in Example [T] where (re- 
peatedly) choosing truth-values for all universal variables and then performing 
unit propagation yielded all desired values for the outermost variables, in this 
example the same strategy does not suffice. The problem is that two valuations, 
respectively assigning & = T, ?/ = T and 6 = T, j/ = T, are needed, and neither of 
these alone allows inferring a. First one uses the first assignment and infers Xi, 
exchanges y = T to y = -L, and only then can one infer a with X2- After using 
the first assignment, one in general cannot preserve the values obtained for xi 
and X 2 , because these could depend on the choice & = T, to which we have not 
committed to. 

The propagation pattern present in Example [2] could be made still more 
intricate. In BTWUBXVV^ we could be forced to repeatedly alternate between 
valuations vi and V 2 of the universal variables V in order to infer more and 
more values for the existential variables X, keeping part of the valuation (for 
the outermost universal variables E) fixed. The second example shows that the 
hierarchical propagation structure could be vital for solving naturally occurring 
QBF. 

Example 3. Consider the following formula that represents the existence of tran- 
sition sequences of length 2" between two states m- 

3S'S"(reach„(S', S") A / A G) (1) 

Here / and G are the formulae describing the initial and goal states respectively 
expressed in terms of variables from sets S and S'. Here reachi(S', S') means that 

® Of course, performing this computation that is exponential in the number of universal 
variables may in practise be too expensive to be useful. 
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a state represented in terms of variables from S' can be reached with 2® steps 
from a state represented in terms of variables from S. It is recursively defined 
as follows. 

reacho(S', S") = R{S, S') 

Hgf 

reachi+i(S', S") = 3TVc3Ti3T2(reachi(Ti, T 2 ) 

A(c^(Ti = SAT2 = T)) 

A(-c^(Ti =TAT2 = 5'))) 

Here R is the one-step transition relation on two sets of variables that re- 
spectively represent the state variables for the predecessor and the successor 
states. The sets T and S consist of propositional variables, and S' = T for 
S = {si, . . . , s„} and T = {t\, . . . , means (si O ti) A • • • A {sn ^ tn)- The 
idea of the definition of reachi+i(S, S') is that the variables T describe a state 
halfway between S and S', and the two values for the variable c correspond to 
two reachability tests, one between S and T, and the other between T and S'. 
This is very close to the PSPACE membership proof of s-t reachability of graphs 
represented in terms of state variables mrm . 

If we eliminate all universal variables from Formula[l] we see that it is essentially 
a concise O(logt) space {t = 2") representation of 

lo A i?(So, Si) A i?(Si, S 2 ) A • • • A R{St-uSt) A G* (2) 

with only one occurrence of the transition relation R. Now, there are many 
instances of Formula E] (especially if the estimated transition sequence length 
2' is “low”) in which unit propagation immediately yields many state variable 
values However, for the corresponding Formula [I] none of this takes place. 

The Davis-Putnam QBF procedure performs an exhaustive search through the 
valuations of all the variables but the innermost ones. This makes even small 
reachability problems (a couple of dozen state variables and transition sequence 
length 4) practically unsolvable on the Davis-Putnam QBF procedure, while 
the corresponding Formula would be solved immediately by any reasonable 
satisfiability algorithm. 

Example 4- When the transition relation R is the implication sq— >- si, we obtain 
the following formula for reachability of length 4. 

3ah 

3xiici3si3ti 
3x2^C2^S2^t2 (oA 

Cl — ^((n ■O’ si) A (xi ■O' fi))A 
“•Cl — )■ (( 3^1 ■O Si) A {h ■O ti))A 
C 2 — ^((si O S 2 ) A (X2 O t2))A 
“iC2 0((a;2 O S 2 ) A (ti O t2))A 
(s2 — >-^ 2 )) 

This formula is equivalent to (with respect to a and b) 

a A (a — ^Si) A (si — ^ 52 ) A (s 2 — ^ss) A (53 — ^b), 
and by unit resolution one can directly infer that b has to be true. 
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5 The New Unit Propagation Algorithm 

Let u be the first universal variable in the prefix of a QBF and let Xi, . . . ,Xn 
be the existential variables in the prefix after u. Then u can be eliminated from 
^ by producing the QBF = ^\x\jx \, . . . , T /u] A^[_L/u]. If mi, . . . , Um 

are the universal variables in <P, then <P is true if and only if 'Pui,...,um true. This 
latter formula is the one obtained by eliminating the universal variables from 
(p in the given order that agrees with their order in the prefix. Now 
contains existential variables only, and it - when ignoring the quantifiers - can 
be viewed as a normal satisfiability problem in the propositional logic. Because 
have a size exponential in the size of this reduction is usually 
not a practical way of evaluating QBF. 

The algorithm we propose could be viewed as partially unfolding the QBF : 
at any point of time only one of the 2”^ conjuncts of i® produced, call 

it X, which corresponds to a single valuation of all the universal variables. Such 
formulae x typically share (existential) variables, because existential variables 
get renamed in the reduction only when they follow a universal variable in the 
prefix. We would like to perform unit resolution on these formulae x ®o that 
truth-values obtained for shared variables would be propagated also to other 
formulae x' obtained by partially unfolding 

This idea leads to the hierarchical propagation algorithm in Fig. [2] that does 
not explicitly produce the formulae takes the following parameters. 

— Q = (Vi, . . . , Ui) is a sequence of sets of variables that represents the quan- 
tifiers of the QBF, where Ui+i for i > 0 are universally quantified and Ui 
for i>l are existentially quantified, and 

— C is the body of the formula (a set of clauses). 



PROCEDURE propagate((Vi, U 2 , U, . . . , 14), C) 

IFn = 0 THEN RETURN unit(C); 
again: 

EOR FACT valuation u of Id DO 
C ~ propagate((V 3 , . . . , 14), C U v)\ 

IE {p} £ C'\C or {~ip} £ C'\C for some p G P 
where P = V\{Vi U • • • U 14) 

THEN 

BEGIN 

C~CU{C'n {{{p}\p £ P} U {{^p}\p £ P})); 
GOTO again; 

END 

END 

RETURN U; 

Fig. 2. The hierarchical unit propagation algorithm 



Valuations v of V\ above are sets of unit clauses with exactly one occurrence 
of every variable in V\. The set V consists of all variables occurring in the 
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QBF. The existential variables ¥21 in the prefix Q are used by the propagation 
algorithm only as far as conventional unit propagation produces them. 

The algorithm runs in exponential time on the size of the QBF because the 
number of valuations may be exponential. However, it needs only polynomial 
space. This is because at any given point of time only one valuation of the 
universal variables and the values inferred for the existential variables need to 
be stored explicitly. 

6 Improvements 

The algorithm can be improved by taking into account properties of the body C 
of the formula, and by preventing the worst-case exponential running time. First, 
we give stricter conditions on the selection of valuations v based on the possi- 
bilities of performing unit resolution steps. This often leads to a big reduction 
in the runtime but does not eliminate the exponential time worst-case behavior. 
Second, in Sect. Ej] we consider further restrictions that lead to a polynomial 
runtime. 

Example 5. Consider a clause set C in which only the clause mi V it 2 V a: contains 
less than two existential variables, namely the variable x. The only possibility 
of performing unit resolution is to assign both u\ and U 2 false. 

Therefore, only such values should be assigned to the universal values that 
contribute to producing a unit clause. It would be possible to take the usefulness 
criterion further. The new unit clause that is obtained should have a comple- 
mentary occurrence in a clause with less than 3 literals: otherwise the unit clause 
would be the only one that is produced, and therefore often not very useful. 

6.1 Restrictions Leading to Polynomial Runtime 

Producing unit clauses from two clauses it V and -<u V 4>2 is complementary. 
This is the reason why the worst-case runtime of the algorithm is exponential: 
otherwise it would suffice to choose one valuation for the universal variables so 
that all possible unit clauses are produced. 

Example 6. Consider a clause set that includes the clauses (iti V a:i),(-iiti V 
x'l), (m 2 V 0 : 2 ), {~'U 2 V x' 2 ), • • • , (itn V Xn), (~'U„ V x'^) . One can obtain 2" different 
sets of unit clauses by assigning 2" different combinations of truth-values to the 
universal variables ui, . . . , 

The exponential behavior of the propagation algorithm can be avoided by 
refraining from trying out all valuations of the universal variables. A reasonable 
strategy would be to try only enough valuations so that each unit clause (but not 
necessarily every combination of unit clauses) is obtained once. Of course, this 
restriction means that correspondence between the unit resolution steps available 
in the unquantified propositional formula and in the corresponding QBF is lost. 
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Depending on the QBF in question, this could be a big loss or not. For the 
O(logn) QBF encoding of the s-t reachability problem one may be forced to try 
out an exponential number of combinations of unit clauses to obtain all inference 
steps. 

7 An Implementation of the Algorithm 

We have implemented the propagation algorithm as a variant of the QBF solver 
described by us earlier 120 ]. The new propagation algorithm replaces the less 
general inversion and sampling techniques. The solver heavily uses a general 
form of the failed literal rule for reducing the size of the search tree: see Li and 
Anbulagan’s work on the satOO implementation of the Davis-Putnam procedure 
m- From the other techniques described by Rintanen m only the splitting of 
the clause set to disjoint subsets with no shared variables is used. 

The new propagation algorithm is used at every node of the search tree, 
just like the standard unit propagation algorithm. The implementation consists 
of two mutually recursive subprocedures, the first traversing through all the 
valuations of a block of universal quantifiers, and the second keeping track of 
the existential variables that have been inferred. The polynomial time behavior 
described in Sect. 16.11 is achieved by labeling every clause that has been made a 
unit clause, and refraining from trying a truth- value (true or false) for a universal 
variable if it would not help producing a unit clause that has not already been 
labeled. This way the number of valuations tried is at most as high as the number 
of clauses with one existential literal and one or more universal literals. 

7.1 Structured Formulae 

We evaluated the algorithm on problems from AI planning that are encoded like 
Example El They solve a small blocks’ world problem with 4 blocks, the Towers 
of Hanoi with 3 disks, and the well-known bw-large.a and bw-large.b blocks 
world problems. We list the runtimes on our implementations of the basic Davis- 
Putnam QBF procedure, with the inversion/sampling techniques from |20] . and 
with the new propagation algorithm, in Table |T] The runs were on a 360MHz Sun 
Sparc. We terminated each run that lasted for more than one hour. Even the best 
runtimes presented here are worse than the runtimes of conventional satisfiability 
algorithms on the reduced formulae. A bigger set of test runs is reported in Table 
|2] These QBF include ones representing planning under incomplete information 
m, some randomly generated problems, and the encoding of long chains of 
implications as in Example 5] On some of the problems the stronger propagation 
algorithms slow down QBF evaluation because only very few or no new literals 
can be inferred, and running the algorithms is relatively expensive. 

7.2 Random Formulae 

Contrary to what was reported by us earlier for the less general unfolding tech- 
niques m, our implementation of the new propagation algorithm improves the 
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Table 1. Runtimes of the QBF algorithm on QBF from AI planning. The last QBF 
for each problem is true, the preceding ones are false. 



problem 


path length 


prefix 


vars 


r 

clauses 


untime in 
DP/QBF 


seconds 
DP 3- inversion 


DP-|-new alg. 


BLOCKS! 


2 


3V3 


149 


1183 


> 


3600 


0.03 


0.04 


BLOCKS! 


4 


3V3V3 


210 


1505 


> 


3600 


1527.55 


3.20 


BLOCKS! 


8 


3V3V3V3 


271 


1827 


> 


3600 


> 3600 


4.22 


HANOIS 


2 


3V3 


709 


16599 


> 


3600 


0.56 


0.54 


HANOI3 


4 


3V3V3 


962 


17553 


> 


3600 


> 3600 


23.08 


HANOI3 


8 


3V3V3V3 


1215 


18507 


> 


3600 


> 3600 


> 3600 


bw-large.a 


2 


3V3 


1099 


62916 


> 


3600 


0.89 


1.13 


bw-large.a 


4 


3V3V3 


1370 


65688 


> 


3600 


> 3600 


256.75 


bw-large.b 


2 


3V3 


1871 


178890 


> 


3600 


1.74 


2.38 


bw-large.b 


4 


3V3V3 


2268 


183741 


> 


3600 


> 3600 


15.65 


bw-large.b 


8 


3V3V3V3 


2665 


188592 


> 


3600 


> 3600 


> 3600 



Davis-Putnam QBF procedure runtimes on difficult randomly generated prob- 
lems substantially. This is because of the stricter and more goal-directed criteria 
for selecting truth-values for universal variables. 

Tables 0 and m show the runtimes of our QBF solver on random QBF (model 
A of Gent and Walsh 0 ) respectively without and with the new propagation 
algorithm. The times reported are runtimes (in milliseconds) of 150 variable 
3V3 formulae with varying numbers of universal variables and clauses/ variables 
ratios. The runtimes are averages on 1000 formulae. The percentage of uni- 
versal variables (rows in the tables) varies from 0 to 53.3, and the number of 
existential variables before and after the universal variables is the same. The 
clauses/ variables ratio varies from 1 to 4 (the columns in the tables.) The prop- 
agation algorithm produced each unit clause at least once, but did not produce 
all combinations of unit clauses. The ratios of the runtimes with and without the 
new propagation algorithm are shown in Table In the phase transition region 
on the most difficult QBF (see |2^) the new propagation algorithm speeds up the 
evaluation by a factor of ten. On easier formulae, especially those containing a 
high number of universal variables, the algorithm slows down the evaluation, up 
to a factor of five. On bigger formulae and with more quantifiers the speed-ups 
are much bigger. 



8 Related Work 

Early work on quantified Boolean formulae include the polynomial time algo- 
rithm by Aspvall et al. PQ for quantified 2-literal clauses, and the polynomial 
time decision algorithm for quantified Horn clauses by Kleine Brining et al. m- 
Kleine Brining et al. also define a resolution rule for QBF. 

Cadoli et al. jH] extended the Davis-Putnam procedure to handle quantified 
Boolean formulae. Their algorithm is similar to the one in Sect. 0 first defined 
in m, but is based on two mutually recursive procedures that respectively 
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Table 2. Comparison of the runtimes of the basic Davis-Putnam QBF procedure, the 
same with the new propagation algorithm restricted to polynomial runtime, and the 
unrestricted new propagation algorithm, on a number of QBF. 



problem 


basic DP/QBF 
runtime tree size 


new algo. 0(p(n)) 
runtime tree size 


new algo. 0(2^ 
runtime tree 


u 

size 


BLOCKS3i.4.4.qcnf 


> 


10 min. 


- 


0.20 


0 


0.17 


0 


BLOCKS3i.5.3.qcnf 


> 


10 min. 


- 


94.10 


378 


101.80 


378 


BLOCKS3i.5.4.qcnf 


> 


10 min. 


- 


9.19 


50 


9.80 


50 


BLOCKS3ii.4.3.qcnf 




18.53 


1015 


0.15 


0 


0.11 


0 


BLOCKS3ii.5.2.qcnf 




345.98 


10021 


0.19 


0 


0.18 


0 


BLOCKS3ii.5.3.qcnf 


> 


10 min. 


- 


1.49 


29 


1.44 


29 


BLOCKS3iii.4.qcnf 




20.35 


1728 


0.05 


0 


0.03 


0 


BLOCKS3iii.5.qcnf 


> 


10 min. 


- 


0.73 


26 


0.70 


26 


BLOCKS4i.6.4.qcnf 


> 


10 min. 


- 


8.96 


0 


9.00 


0 


BLOCKS4i.7.3.qcnf 


> 


10 min. 


- 


> 10 min. 


- 


> 10 min. 


- 


BLOCKS4i.7.4.qcnf 


> 


10 min. 


- 


> 10 min. 


- 


> 10 min. 


- 


BLOCKS4ii.6.3.qcnf 


> 


10 min. 


- 


8.78 


0 


8.85 


0 


BLOCKS4ii.7.2.qcnf 


> 


10 min. 


- 


15.21 


0 


15.12 


0 


BLOCKS4ii.7.3.qcnf 


> 


10 min. 


- 


453.03 


190 


455.85 


190 


BLOCKS4iii.6.qcnf 


> 


10 min. 


- 


4.39 


0 


4.45 


0 


BLOCKS4iii.7.qcnf 


> 


10 min. 


- 


230.21 


178 


218.21 


178 


CHAIN12v.l3.qcnf 




0.25 


36 


0.43 


12 


73.67 


12 


CHAIN13v.l4.qcnf 




0.31 


39 


0.55 


13 


182.61 


13 


CHAIN14v.l5.qcnf 




0.38 


42 


0.74 


14 


449.17 


14 


CHAIN15v.l6.qcnf 




0.52 


45 


0.92 


15 


> 10 min. 


- 


CHAIN16v.l7.qcnf 




0.64 


48 


1.13 


16 


> 10 min. 


- 


CHAIN17v.l8.qcnf 




0.74 


51 


1.43 


17 


> 10 min. 


- 


CHAIN18v.l9.qcnf 




0.91 


54 


1.74 


18 


> 10 min. 


- 


CHAIN19v.20.qcnf 




1.07 


57 


2.15 


19 


> 10 min. 


- 


CHAIN20v.21.qcnf 




1.23 


60 


2.68 


20 


> 10 min. 


- 


CHAIN21v.22.qcnf 




0.51 


63 


2.12 


21 


> 10 min. 


- 


CHAIN22v.23.qcnf 




0.71 


66 


2.57 


22 


> 10 min. 


- 


CHAIN23v.24.qcnf 




1.05 


69 


3.18 


23 


> 10 min. 


- 


TOILET10.1.iv.l9.qcnf 


> 


10 min. 


- 


> 10 min. 


- 


> 10 min. 


- 


TOILET10.1.iv.20.qcnf 




1.54 


19 


5.84 


18 


5.83 


18 


TOILET16.1.iv.31.qcnf 


> 


10 min. 


- 


> 10 min. 


- 


> 10 min. 


- 


TOILET16.1.iv.32.qcnf 




10.83 


31 


61.51 


30 


62.22 


30 


TOILET2.1.iv.3.qcnf 




0.01 


3 


0.01 


0 


0.01 


0 


TOILET2.1.iv.4.qcnf 




0.00 


3 


0.00 


2 


0.03 


2 


TOILET6.1.iv.ll.qcnf 




554.59 


111102 


46.63 


1658 


46.52 


1658 


TOILET6.1.iv.l2.qcnf 




0.20 


11 


0.51 


10 


0.53 


10 


TOILET7.1.iv.l3.qcnf 


> 


10 min. 


- 


659.26 


17851 


> 10 min. 


- 


TOILET7.1.iv.l4.qcnf 




0.42 


13 


1.58 


12 


1.61 


12 


R3CNF_150-3-15-2.50-0.T.qcnf 




0.82 


549 


0.05 


5 


0.05 


5 


R3CNF_150-3-15-2.50-l.F.qcnf 




5.75 


3388 


0.59 


24 


0.67 


24 


R3CNF_150_3_15_2.50_2.T.qcnf 




1.54 


859 


0.13 


9 


0.15 


9 


R3CNF_150_3_15_2.50_3.T.qcnf 




0.38 


300 


0.06 


6 


0.09 


6 


R3CNF_150_3_15_2.50_4.T.qcnf 




2.26 


1394 


0.32 


17 


0.34 


17 


R3CNF_150-3-15-2.50-5.T.qcnf 




0.69 


522 


0.18 


9 


0.23 


11 


R3CNF_150_3_15_2.50_6.F.qcnf 




14.59 


11165 


0.92 


31 


1.14 


22 


R3CNF_150_3_15_2.50_7.F.qcnf 




11.79 


7460 


1.58 


51 


1.96 


41 


R3CNF_150_3_15_2.50_8.F.qcnf 




19.34 


9865 


0.87 


34 


0.88 


33 


R3CNF_150_3_15_2.50_9.T.qcnf 




0.66 


423 


0.11 


7 


0.11 


7 


impl02.qcnf 




0.01 


11 


0.01 


1 


0.00 


0 


impl04.qcnf 




0.02 


91 


0.02 


14 


0.01 


0 


implOG.qcnf 




0.12 


563 


0.09 


117 


0.01 


0 


impl08.qcnf 




0.90 


3249 


0.96 


713 


0.05 


0 


impllO.qcnf 




5.62 


18435 


13.21 


4097 


0.27 


0 


impll2.qcnf 




25.92 


104193 


19.59 


23223 


1.32 


0 


impll4.qcnf 




112.71 


588383 


118.66 


131225 


7.21 


0 


impllG.qcnf 




595.66 


3322021 


650.82 


740999 


33.72 


0 


impll8.qcnf 


> 


10 min. 


- 


> 10 min. 


- 


126.96 


0 


impl20.qcnf 


> 


10 min. 


- 


> 10 min. 


- 


579.23 


0 
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Table 3. Runtimes the basic QBF solver on 150 variable 3V3 QBF. The columns 
correspond to an increasing clauses-to-variables ratio, and the rows correspond to an 
increasing percentage of universal variables. 





1.00 


1.50 


2.00 


2.50 


3.00 


3.50 


4.00 


0.0% 


5.14 


8.80 


18.62 


27.11 


34.16 


51.22 


313.54 


5.3% 


5.19 


9.43 


152.52 


1874.86 


5679.83 


4225.16 


988.06 


10.7% 


5.29 


10.97 


847.85 


6815.47 


3922.47 


1141.70 


450.39 


16.0% 


5.60 


16.67 


1369.13 


1985.74 


869.00 


402.73 


232.92 


21.3% 


5.60 


28.63 


491.05 


438.56 


281.99 


207.00 


134.24 


26.7% 


5.84 


43.45 


149.33 


140.81 


120.16 


98.20 


86.07 


32.0% 


6.27 


39.42 


63.22 


64.31 


65.86 


60.30 


59.77 


37.3% 


7.09 


23.06 


33.59 


36.49 


40.14 


43.78 


47.44 


42.7% 


8.07 


15.91 


21.08 


26.02 


30.12 


32.94 


37.32 


48.0% 


8.70 


15.52 


20.65 


21.10 


25.49 


27.60 


29.01 


53.3% 


6.98 


9.68 


12.56 


15.54 


18.98 


21.61 


25.08 



Table 4. Runtimes on 150 variable QBF with the new propagation algorithm 





1.00 


1.50 


2.00 


2.50 


3.00 


3.50 


4.00 


0.0% 


5.20 


9.06 


19.20 


28.35 


36.26 


54.76 


392.60 


5.3% 


5.82 


12.00 


80.59 


107.53 


369.88 


439.06 


153.00 


10.7% 


5.97 


14.26 


80.64 


382.74 


240.94 


122.04 


84.91 


16.0% 


6.00 


19.93 


195.35 


228.58 


131.70 


126.41 


85.20 


21.3% 


6.86 


34.37 


181.10 


173.56 


140.23 


95.50 


88.40 


26.7% 


7.19 


56.05 


164.50 


160.94 


117.94 


100.16 


87.78 


32.0% 


7.87 


74.94 


199.48 


141.58 


106.85 


97.14 


96.59 


37.3% 


10.03 


84.98 


155.40 


119.27 


97.54 


94.36 


101.35 


42.7% 


12.81 


75.78 


109.68 


94.22 


84.99 


88.74 


118.92 


48.0% 


17.88 


67.29 


84.90 


73.21 


78.43 


88.52 


106.42 


53.3% 


14.18 


39.02 


51.43 


62.12 


67.55 


82.78 


100.19 



Table 5. The ratio between the runtimes in Tables Hand [3] 





1.00 


1.50 


2.00 


2.50 


3.00 


3.50 


4.00 


0.0% 


1.011 


1.029 


1.031 


1.045 


1.061 


1.069 


1.252 


5.3% 


1.121 


1.272 


0.528 


0.057 


0.065 


0.103 


0.154 


10.7% 


1.128 


1.299 


0.095 


0.056 


0.061 


0.106 


0.188 


16.0% 


1.071 


1.195 


0.142 


0.115 


0.151 


0.313 


0.365 


21.3% 


1.225 


1.200 


0.368 


0.395 


0.497 


0.461 


0.658 


26.7% 


1.231 


1.289 


1.101 


1.142 


0.981 


1.019 


1.019 


32.0% 


1.255 


1.901 


3.155 


2.201 


1.622 


1.610 


1.616 


37.3% 


1.414 


3.685 


4.626 


3.268 


2.429 


2.155 


2.136 


42.7% 


1.587 


4.763 


5.203 


3.621 


2.821 


2.693 


3.186 


48.0% 


2.055 


4.335 


4.111 


3.469 


3.076 


3.207 


3.668 


53.3% 


2.031 


4.030 


4.094 


3.997 


3.559 


3.830 


3.994 
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handle the existential and the universal variables. Cadoli et al. also give a pure 
literal rule for universal variables, and propose a test that detects the truth of a 
QBF by performing a satisfiability test of the QBF with the universal variables 
ignored. Giunchiglia et al. |8] generalize backjumping m to QBF so that also 
universal variables can be jumped over. Backjumping speeds up the evaluation of 
some classes of randomly generated QBF substantially. Also Letz m discusses 
backjumping, as well as other QBF extensions of techniques that have been used 
in implementations of the Davis-Putnam procedure. The techniques discussed 
by Cadoli et ah, Giunchiglia et al. and Letz in general improve the runtimes, 
backjumping on certain randomly generated problems substantially, but on the 
kind of structured problems discussed in Sect. 17.1 1 the implementations of all 
these algorithms have the same extremely high runtimes as our implementation 
without the stronger propagation algorithm. 

Plaisted et al. m have presented a decision procedure for QBF that is not 
based on the Davis-Putnam procedure. The procedure recursively eliminates 
variables from a formula by repeatedly replacing a subformulae by another that 
allows same valuations for the variables that occur also outside the subformula 
but does not contain the variables that occur only in the original subformula. No 
comparison of the algorithm to other algorithms for evaluating QBF has been 
carried out, because only an implementation of the algorithm for the unquantified 
propositional case exists. 

Work directly related to the new propagation algorithm has been presented 
earlier by us and other authors. A restricted form of partial unfolding was first 
considered by Rintanen m- The technique presented there is capable of obtain- 
ing all unit resolution steps only when there is one group of universal variables; 
that is, when the prefix is 3V3. The technique is applicable to longer prefixes, 
but in those cases it is incomplete. A variant of the technique was presented by 
Feldmann et al. [5], but experiments by Giunchiglia et al. [S] suggest that it is 
not a proper improvement over Rintanen’s original proposal. 

The unit resolution problem is not restricted to the Davis-Putnam QBF 
procedure: it is also present in algorithms for other problems, most notably 
in algorithms for stochastic satisfiability [2]- The propagation algorithm could 
be also applied in algorithms for QBF that are not in GNF. In this context an 
important question is detecting - from the non-clausal formula - the possibilities 
of performing inference steps corresponding to unit resolution. Once this question 
is answered, application of the propagation algorithm with its improvements is 
straightforward . 

The new propagation algorithm for QBF could be contrasted to the work 
by Ginsberg and Parkes [7] which generalizes the Davis-Putnam procedure to 
schematically represented propositional formulae. Ginsberg and Parkes consider 
quantification over constant symbols, and restrict to universal quantification. 
Both algorithms process conventional propositional formulae that are repre- 
sented compactly (exponential size reduction), and an intractable subproblem 
emerges because of the exponential reduction in problem size. In Ginsberg and 
Parkes’ algorithm clauses and propositional variables are represented schemati- 
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cally, for example p(o, b) where a and b are members of a fixed set of constants, 
and the computational problem to be solved is to find out - given a partial val- 
uation and a set of schematically represented clauses - whether there are unit 
clauses with the literal p{a, b) or ~^p{a, h). Note that Ginsberg and Parkes repre- 
sent only the clause set implicitly; all of the parametric propositional variables 
are represented explicitly. In the QBF case, the clauses and existential variables 
are parameterized by the universal variables that occur in the prefix before the 
relevant existential variables. Our algorithm performs unit resolution with the 
implicitly represented unquantified clause set. We do not represent the parame- 
terized variables explicitly (there is an exponential number of them), and only 
infer truth-values for the current outermost existential variables. 



9 Conclusions 

We have presented a propagation algorithm for QBF that takes advantage of the 
possibility of partially unfolding the QBF, that is, making explicit part of the 
propositional formula that would be obtained by eliminating the universal vari- 
ables from the QBF. The algorithm tries to infer truth- values for the outermost 
existential variables in the QBF, thereby reducing the need for exhaustive case- 
analysis on those variables. The algorithm may need exponential time because 
the fully unfolded propositional formula can have a size exponential in the size 
of the QBF. We discussed improvements to the algorithm and restrictions that 
make the algorithm run in polynomial time. 

We investigated the behavior of the algorithm on a narrow class of formulae 
that was part of the initial motivation for studying the problem, and on these for- 
mulae the algorithm is a differentiating factor between practically unsolvable and 
easily solvable QBFs. Whether the algorithm is useful on more general classes 
of QBF remains to be seen. To investigate the topic further we would need QBF 
with three or more alternations of quantifiers in the prefix. For QBF with prefix 
3V3 the algorithm works like a technique earlier proposed by us ED]. We believe 
that on many QBF with a longer prefix the hierarchical propagation algorithm 
substantially reduces the need for exhaustive search. However, the overhead of 
the algorithm is relatively high, and when the reduction in search space does not 
take place, the propagation algorithm slows down QBF evaluation. 

There are some areas in QBF implementations that potentially benefit from 
observing the presence of the new propagation algorithm. For example, branch- 
ing heuristics should prefer variables that increase the number of clauses that 
contain only one existential variable (and possibly some universal variables.) 
The branching heuristics of our current implementation just count the number 
of new one and two literal clauses. However, for most of the QBF obtained by 
translation from the planning problems discussed in this paper, this would not 
appear to make a difference, because there are few clauses that contain universal 
variables and more than one existential variable. 

The ideas behind the paper point to possible improvements to the Davis- 
Putnam QBF procedure. A general problem with the procedure is that branch- 
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ing variables have to be selected from the variables quantified by the outermost 
quantifier, and therefore the choice of the variables is much less flexible than 
in the unquantified case. The problem is that - at a given state of the search 
process - none of the values chosen for the outermost variables might immedi- 
ately constrain the values of the remaining variables, which leads to blind and 
exhaustive search. The idea of viewing the QBF as explicitly standing for an 
unquantified propositional formulae suggests that branching variables could be 
inner variables when they are viewed as being parameterized by the values of the 
preceding universal variables. It could be the case that assigning a truth-value 
to some of the inner variables could constrain the other variables considerably, 
which would reduce the search space. However, because the number of paramet- 
ric variables can be exponential in the number of variables in the QBF, it is not 
clear how and why this would lead to more efficient evaluation of QBF. 
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Abstract. When writing a constraint program, we have to decide what to make 
the decision variable, and how to represent the constraints on these variables. In 
many cases, there is considerable choice for the decision variables. For example, 
with permutation problems, we can choose between a primal and a dual represen- 
tation. In the dual representation, dual variables stand for the primal values, whilst 
dual values stand for the primal variables. By means of channelling constraints, a 
combined model can have both primal and dual variables. In this paper, we per- 
form an extensive theoretical and empirical study of these different models. Our 
results will aid constraint programmers to choose a model for a permutation prob- 
lem. They also illustrate a general methodology for comparing different constraint 
models. 



1 Introduction 

Constraint programming is a highly successful technology for solving a wide variety of 
combinatorial problems like resource allocation, transportation, and scheduling. A con- 
straint program consists of a set of decision variables, each with an associated domain of 
values, and a set of constraints defining allowed values for subsets of these variables. The 
efficiency of a constraint program depends on a good choice for the decision variables, 
and a careful modelling of the constraints on these variables. Unfortunately, there is 
often considerable choice as to what to make the variables, and what to make the values. 
For example, in an exam timetabling problem, the variables could be the exams, and 
the values could be the times. Alternatively, the variables could be the times, and the 
values could be the exams. This choice is especially difficult in permutation problems. 
In a permutation problem, we have as many values as variables, and each variable takes 
an unique value. We can therefore easily exchange variables for values. Many assign- 
ment, scheduling and routing problems are permutation problems. For example, sports 
tournament scheduling can be modeled as finding a permutation of the games to fit into 
the time slots, or a permutation of the time slots to fit into the games. The aim of this 
paper is to compare such different models both theoretically and empirically. 



2 Formal Background 

A constraint satisfaction problem (CSP) is a set of variables, each with a finite domain 
of values, and a set of constraints. A (binary) constraint is a (binary) relation defining the 
allowed values for a (binary) subset of variables. A solution is an assignment of values 
to variables consistent with all constraints. Many lesser levels of consistency have been 



R. Nieuwenhuis and A. Voronkov (Eds.): LPAR 2001, LNAI 2250, pp. 377-[39l[ 2001. 
(c) Springer- Verlag Berlin Heidelberg 2001 



378 



T. Walsh 



defined (see IDB97II ). A problem is {i, j) -consistent iff it has non-empty domains and 
any consistent instantiation of i variables can be consistently extended to j additional 
variables. A problem is arc-consistent (AC) iff it is (1, l)-consistent. A problem is path- 
consistent (PC) iff it is (2, 1) -consistent. A problem is strong path-consistent (ACPC) 
iff it is AC and PC. A problem is path inverse consistent (PIC) iff it is (1, 2) -consistent. 
A problem is restricted path-consistent (RPC) iff it is AC and if a value assigned to a 
variable is consistent with just one value for an adjoining variable then for any other 
variable there is a compatible value. A problem is singleton arc-consistent (SAC) iff it has 
non-empty domains and for any instantiation of a variable, the resulting subproblem can 
be made AC. A CSP with binary or non-binary constraints is generalized arc-consistent 
(GAC) iff for any value for a variable in a constraint, there exist compatible values 
for all the other variables in the constraint. For ordered domains, a problem is bounds 
consistent (BC) iff it has non-empty domains and the minimum and maximum values 
for any variable in a constraint can be consistently extended. 

Backtracking algorithms are often used to find solutions to CSPs. Such algorithms 
try to extend partial assignments, enforcing a local consistency after each extension and 
backtracking when this local consistency no longer holds. For example, the forward 
checking algorithm (FC) maintains a restricted form of AC that ensures that the most 
recently instantiated variable and any uninstantiated variables are AC. FC has been 
generalized to non-binary constraints IIBMFL991 . nFCO makes every fc-ary constraint 
with k—1 variables instantiated AC. nFC 1 applies (one pass of) AC to each constraint or 
constraint projection involving the current and exactly one future variable. nFC2 applies 
(one pass of) GAC to each constraint involving the current and at least one future variable. 
Three other generalizations of FC to non-binary constraints, nFC3 to nFC5 degenerate to 
nFC2 on the single non-binary constraint describing a permutation, so are not considered 
here. Finally, the maintaining arc-consistency algorithm (MAC) maintains AC during 
search, whilst MGAC maintains GAC. 



3 Permutation Problems 

A permutation problem is a constraint satisfaction problem with the same number of 
variables as values, in which each variable takes an unique value. We also consider 
multiple permutation problems in which the variables divide into a number of (possibly 
overlapping) sets, each of which is a permutation problem. Smith has proposed a number 
of different models for permutation problems ISmiOOl . The primal not-equals model 
has not-equals constraints between the variables in each permutation. The primal all- 
different model has an all-different constraint between the variables in each permutation. 
In a dual model, we swop variables for values. Primal and dual models have primal and 
dual variables, and channelling constraints linking them of the form: Xi = j iff dj = i 
where Xi is a primal variable and dj is a dual variable. Primal and dual models can 
also have not-equals and all-different constraints on the primal and/or dual variables. 
There will, of course, typically be other constraints which depend on the nature of the 
permutation problem. In what follows, we do not consider directly the contribution of 
such additional constraints to pruning. However, the ease with which we can specify 
and reason with these additional constraints may have a large impact on our choice 
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of the primal, dual or primal and dual models. We will use the following subscripts: 

for the primal not-equals constraints, “c” for channelling constraints, “/c” for the 
primal not-equals and channelling constraints, ‘ Vc/” for the primal not-equals, dual not- 
equals and channelling constraints, “v” for the primal all-different constraint, “vc” for the 
primal all-different and channelling constraints, and “vcv” for the primal all-different, 
dual all-different and channelling constraints. Thus SAC^c is SAC applied to the primal 
not-equals and channelling constraints. 

4 Constraint Tightness 

To compare how different models of permutation problems prune the search tree, we 
define a new measure of constraint tightness. Our definition assumes constraints are 
defined over the same variables and values or, as in the case of primal and dual models, 
variables and values which are bijectively related. An interesting extension would be 
to compare two sets of constraints up to permutation of their variables and values. Our 
definition of constraint tightness is strongly influenced by the way local consistency 
properties are compared in |DB971 . Indeed, the definition is parameterized by a local 
consistency property since, as we show later, the amount of pruning provided by a set of 
constraints depends upon the level of local consistency being enforced. This measure of 
constraint tightness would also be useful in a number of other applications (e.g. reasoning 
about the value of implied constraints). 

We say that a set of constraints A is at least as tight as a set B with respect to 
^-consistency (written <Pb) iff, given any domains for their variables, if A is 

^-consistent then B is also ^-consistent. By considering all possible domains for the 
variables, this ordering measures the potential for domains to be pruned during search 
as variables are instantiated and domains pruned (possibly by other constraints in the 
problem). We say that a set of constraints A is tighter than a set B wrt ^-consistency 
(written <1>a t^s) iff 'Pb but not (!>b A is incomparable to B wrt <P- 

consistency (written <Pa 0 ) iff neither nor <Pb ^A > and A is equivalent 

to B wrt ^-consistency (written <1>a ^ t^s) iff both (!>a ^b and <!>b ^A- We can 

easily generalize these definitions to compare ^^-consistency on A with 0-consistency 
on B. This definition of constraint tightness has some nice monotonicity and fixed-point 
properties which we will use extensively throughout this paper. 

Theorem 1 (monotonicity and fixed-point). 

1. ACaub AC A ACahb 

2. AC A — ^ AC B implies AC aub AC a 

Similar monotonicity and fixed-point results hold for BC, RPC, PIC, SAC, ACPC, 
and GAC. We also extend these definitions to compare constraint tightness wrt search 
algorithms like MAC that maintain some local consistency. For example, we say that 
A is at least as tight as B wrt algorithm X (written Xa ^ Xb) iff, given any fixed 
variable and value ordering and any domains for their variables, X visits no more nodes 
on A than on B, whilst A is tighter than B wrt algorithm X (written Xa -a Xb) iff 
Xa Xb but not Xb Xa- 
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5 Theoretical Comparison 

5.1 Arc-Consistency 

We first prove that, with respect to AC, channelling constraints are tighter than the primal 
not-equals constraints, but less tight than the primal all-different constraint. 

Theorem 2. On a permutation problem: 

GAC-^c'i 

X 

GAC\f — y AC^c ACc — y AC^ 

X 

GACyc 

Proof. In this and following proofs, we just prove the most important results. Others 
follow quickly, often using transitivity, monotonicity and the fixed-point theorems. 

To show GACv ACc, consider a permutation problem whose primal all-different 
constraint is GAC. Suppose the channelling constraint between Xi and dj was not AC. 
Then either Xi is set to j and dj has i eliminated from its domain, or dj is set to i 
and Xi has j eliminated from its domain. But neither of these two cases is possible 
by the construction of the primal and dual model. Hence the channelling constraints 
are all AC. To show strictness, consider a 5 variable permutation problem in which 
x\ = X 2 = X 3 = {1, 2 } and X 4 = X 5 = {3, 4, 5}. This is ACc but not GACy. 

To show ACc AC^, suppose that the channelling constraints are AC. Consider a 
not-equals constraint, Xi xj (i j) that is not AC. Now, Xi and Xj must have the same 
singleton domain, {k}. Consider the channelling constraint between Xi and dk- The only 
AC value for dk is i. Similarly, the only AC value for dk in the channelling constraint 
between xj and dk is j. But i j. Hence, dk has no AC values. This is a contradiction 
as the channelling constraints are AC. Hence all not-equals constraints are AC. To show 
strictness, consider a 3 variable permutation problem with x\ = X 2 = {1,2} and 
X 3 = {1, 2, 3}. This is AC^ but is not ACc- 

To show AC^c^ ^ ACc, by monotonicity, AC^c/ ACc. To show the reverse, 
consider a permutation problem which is ACc but not AC^c^- Then there exists at least 
one not-equals constraints that is not AC. Without loss of generality, let this be on two 
dual variables (a symmetric argument can be made for two primal variables). So both 
the associated (dual) variables, call them di and dj must have the same unitary domain, 
say {fcj. Hence, the domain of the primal variable Xk includes i and j. Consider the 
channelling constraint between Xk and di. Now this is not AC as the value Xk = j has 
no support. This is a contradiction. 

To show GACvcv o GACy, consider a permutation problem that is GACy. For 
every possible assignment of a value to a variable, there exist a consistent extension to 
the other variables, xi = d^^ , . . .Xn = d^„ with Xi Xj for all i f j. As this is a 
permutation, this corresponds to the assignment of unique variables to values. Hence, the 
corresponding dual all-different constraint is GAC. Finally, the channelling constraints 
are trivially AC. □ 
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5.2 Maintaining Arc-Consistency 

These results can be lifted to algorithms that maintain (generalized) arc-consistency 
during search. Indeed, the gaps between the primal all-different and the channelling 
constraints, and between the channelling constraints and the primal not-equals con- 
straints can be exponentially largeQ We write Xa Xb iff Xa Xb and there is 
a problem on which algorithm X visits exponentially fewer branches with A than B. 
Note that GACy and AC are both polynomial to enforce so an exponential reduction in 
branches translates to an exponential reduction in runtime. 

Theorem 3. On a permutation problem: 

MGACm ^ MAC^c^ O MAC^c ^ MACc ^ MAC^ 

Proof. We give proofs for the most important identities. Other results follow immediately 
from the last theorem. To show GMACy ^ MACc, consider an+3 variable permutation 
problem with Xi = {1, . . . , n} for i < n + 1 and Xn+2 = Xn+3 = {n + l,n + 
2,n + 3}. Then, given a lexicographical variable ordering, GMACy immediately fails, 
whilst MACc takes nl branches. To show MACc ^ MAC^, consider an + 2 variable 
permutation problem with a;i = {1, 2}, and Xi = {3, . . . , n -|- 2} for i > 2. Then, given 
a lexicographical variable ordering, MACc takes 2 branches to show insolubility, whist 
MAC^ takes 2.{n — 1)! branches. □ 

5.3 Forward Checking 

Maintaining (generalized) arc-consistency on large permutation problems can be ex- 
pensive. We may therefore decide to use a cheaper local consistency property like that 
maintained by forward checking. For example, the Choco finite-domain toolkit in Claire 
uses just nFCO on all-different constraints. The channelling constraint remain tighter 
than the primal not-equals constraints wrt FC. 

Theorem 4. On a permutation problem: 

nPC2\f — ^ FC^c^ FCz^c FCc — ^ FC^ — V nFC0\/ 

t 

nFC2y — >■ nFCl\/ 

Proof. HGSW001 proves FC^ implies nFCOy. To show strictness on permutation prob- 
lems (as opposed to the more general class of decomposable constraints studied in 
IGSWOOII ). consider a 5 variable permutation problem with x\ = X2 = X3 = x^ = 
{1,2,3} andx5 = {4,5}.FC shows the problem is unsatisfiable in at most 12branches. 
nFCO by comparison takes at least 18 branches. 

To show FCc FC^, consider assigning the value j to the primal variable Xi. 
FC^ removes j from the domain of all other primal variables. FCc instantiates the dual 
variable dj with the value i, and then removes i from the domain of all other primal 

' Note that not all difference in constraint tightness result in exponentially reductions in search 
(e.g. ICheOOII identifies some differences which are only polynomial). 
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variables. Hence, FCc prunes all the values that FC^ does. To show strictness, consider 
a 4 variable permutation problem with xi = {1,2} and X 2 = xs = X 4 = {3,4}. 
Given a lexicographical variable and numerical value ordering, FC^ shows the problem 
is unsatisfiable in 4 branches. FCc by comparison takes just 2 branches. 

IGSWOOII proves nFCly implies FC^. To show the reverse, consider assigning the 
value j to the primal variable Xi. FC^ removes j from the domain of all primal variables 
except Xi . However, nFC 1 y also removes j from the domain of all primal variables except 
Xi since each occurs in a binary not-equals constraint with Xi obtained by projecting out 
the all-different constraint. Hence, nFCly <-?■ FC^. 

To show nFC2y — FC^c^^, consider instantiating the primal variable Xi with the 
value j. FC^c^ removes j from the domain of all primal variables except Xi, i from the 
domain of all dual variables except dj, instantiate dj with the value i, and then remove i 
from the domain of all dual variables except dj . nFC2y also removes j from the domain 
of all primal variables except Xi. The only possible difference is if one of the other dual 
variables, say di has a domain wipeout. If this happens, Xi has one value in its domain, I 
that is in the domain of no other primal variable. Enforcing GAG immediately detects that 
Xi cannot take the value j, and must instead take the value k. Hence nFC2y has a domain 
wipeout whenever does. To show strictness, consider a 7 variable permutation 

problem with xi = CC2 = 0:3 = 0:4 = {1, 2, 3} and x^ = Xq = Xt = {4, 5, 6, 7} FC^c^^ 
takes at least 6 branches to show the problem is unsatisfiable. nFC2y by comparison 
takes no more than 4 branches. 

IBMFL99I proves nFC2y implies nFCly. To show strictness on permutation prob- 
lems, consider a 5 variable permutation problem with Xi=X 2 = a:3 = X4 = {l,2,3} 
and X5 = {4, 5}. nFCl shows the problem is unsatisfiable in at least 6 branches. nFC2 
by comparison takes no more than 3 branches. □ 

5.4 Bounds Consistency 

Another common method to reduce costs is to enforce just bounds consistency. For 
example, IIRROOII use bounds consistency to prune a global constraint involving a sum 
of variables and a set of inequalities. As a second example, some of the experiments on 
permutation problems in USmiOOl used bounds consistency on certain of the constraints. 
With bounds consistency on permutation problems, we obtain a very similar ordering of 
the models as with AC. 

Theorem 5. On a permutation problem: 

BC\f — y BC^c BCc — y BC^ i 

t 

AC^ 

Proof. To show BCc BC^, consider a permutation problem which is BCc but one 
of the primal not-equals constraints is not BC. Then, it would involve two variables, Xi 
and Xj both with identical interval domains, [k, k]. Enforcing BC on the channelling 
constraint between Xi and dk would reduce dk to the domain Enforcing BC on 
the channelling constraint between Xj and dk would then cause a domain wipeout. But 
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this contradicts the channelling constraints being BC. Hence, all the primal not-equals 
constraints must be BC. To show strictness, consider a 3 variable permutation problem 
with x\ = X 2 = [1, 2] and x^ = [1, 3]. This is BC^ but not BCc. 

To show BCv — BC^c/, consider a permutation probem which is BCy- Suppose we 
assign a boundary value j to a primal variable, Xi (or equivalently, a boundary value i to 
a dual variable, dj). As the all-different constraint is BC, this can be extended to all the 
other primal variables using each of the values once. This gives us a consistent assignment 
for any other primal or dual variable. Hence, it is BC^c/- To show strictness, consider a 
5 variable permutation problem with x\ = X 2 = X 3 = [1, 2] and X 4 = X 5 = [3, 5]. This 
is BC^c/ but not BCy- 

To show BCc AC^, consider a permutation problem which is BCc but not AC^. 
Then they must be one constraint, Xi ^ xj with Xi and xj having the same singleton 
domain, {k}. But, if this is the case, enforcing BC on the channelling constraint between 
Xi and dk and between Xj and dk would prove that the problem is unsatisfiable. Hence, it 
is AC^. To show strictness, consider a 3 variable permutation problem with xi = X 2 = 
[1, 2] and X 3 = [1, 3]. This is AC^ but not BCc. □ 

5.5 Restricted Path Consistency 

Debruyne and Bessiere have shown that RPC is a promising filtering technique above 
AC IDB97II . It prunes many of the PIC values at little extra cost to AC. Surprisingly, 
channelling constraints are incomparable to the primal not-equals constraints wrt RPC. 
Channelling constraints can increase the amount of propagation (for example, when 
a dual variable has only one value left in its domain). However, RPC is hindered by 
the bipartite constraint graph between primal and dual variables. Additional not-equals 
constraints on primal and/or dual variables can therefore help propagation. 

Theorem 6. On a permutation problem; 

GAC\/ — V RPC^c^ — > RPC^c — ^ RPCc 0 RPC^ 0 ACc 

Proof. To show RPCc 0 RPC^, consider a 4 variable permutation problem with Xi = 
X 2 = = {1^ 2, 3} and X 4 = {1, 2, 3, 4}. This is RPC^ but not RPCc. For the reverse 

direction, consider a 5 variable permutation problem with x\ = X 2 = x^ = {1, 2} and 
Xi = x^ = {3, 4, 5}. This is RPCc but not RPC^. 

To show RPC^c — > RPCc, consider again the last example. This is RPCc but not 
RPC^c. 

To show RPC^C 5 ^ ^ RPC^c, consider a 6 variable permutation problem with xi = 
X 2 = {1, 2, 3, 4, 5, 6} and X 3 = X 4 = X 5 = Xq = {4, 5, 6}. This is RPC^c but not 
RPC^ct^- 

To show GACy — RPC^c/, consider a permutation problem which is GACy . Sup- 
pose we assign a value j to a primal variable, x; (or equivalently, a value i to a dual 
variable, dj). As the all-different constraint is GAC, this can be extended to all the 
other primal variables using up all the other values. This gives us a consistent as- 
signment for any two other primal or dual variables. Hence, the problem is PIC^c^^ 
and thus RPC^c^^- To show strictness, consider a 7 variable permutation problem with 
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X\ = X 2 = xz = X 4 ^ = {1, 2, 3} and x^ = x% = xj = {4, 5, 6, 7}. This is RPC^c/ but 
not GACv- 

To show ACc 0 RPC^, consider a 4 variable permutation problem with x\ = X 2 = 
X 3 = {l,2,3}andx4 = {l,2,3,4}.ThisisRPC^butnotACc.Forthereversedirection, 
consider a 5 variable permutation problem with xi = X 2 = xs = {1, 2} and X 4 = x^ = 
{3, 4, 5}. This is ACc but not RPC^. □ 

5.6 Path Inverse Consistency 

The incomparability of channelling constraints and primal not-equals constraints remains 
when we move up the local consistency hierarchy from RPC to PIC. 

Theorem 7. On a permutation problem: 

GAC\f — y PIC^c^ — ^ PfC^c — ^ PfCc 0 PIC^ 0 ACc 

Proof. To show PICc 0 PIC^, consider a 4 variable permutation problem with x\ — 
a^2 = a;3 = {1, 2, 3} and X 4 = {1, 2, 3, 4}. This is PIC^ but not PICc- Enforcing PIC 
on the channelling constraints reduces X 4 to the singleton domain {4}. For the reverse 
direction, consider a 5 variable permutation problem with x\ = X 2 = x^ = {1, 2} and 
CC4 = a;5 = {3, 4, 5}. This is PICc but not PIC^. 

To show PIC^c — PICc, consider a 5 variable permutation problem with x\ = X 2 = 
X3 = {1, 2} and x^ = x^ = {3, 4, 5}. This is PICc but not PIC^c- 

To show PIC^c/ PIC^c> consider a 6 variable permutation problem with x\ = 
X 2 = {1,2,3,4, 5, 6} and X 3 = X 4 = X 5 = xq = {4,5,6}. This is PIC^c but not 
PIC^c^. 

To show GACv ^ PIC^c/ , consider a permutation problem in which the all-different 
constraint is GAC. Suppose we assign a value j to a primal variable, Xi (or equivalently, 
a value i to a dual variable, df). As the all-different constraint is GAC, this can be 
extended to all the other primal variables using up all the other values. This gives us a 
consistent assignment for any two other primal or dual variables. Hence, the not-equals 
and channelling constraints are PIC. To show strictness, consider a 7 variable permutation 
problem with x\ = X 2 = x^ = X 4 = (1, 2, 3} and X 5 = xq = X 7 = (4, 5, 6, 7}. This 
is PIC^c^ but not GACy- 

To show PIC^ 0 ACc, consider a 4 variable permutation problem with xi = X 2 = 
X 3 = {1,2,3} and X 4 = {1,2, 3, 4}. This is PIC^ but not ACc. Enforcing AC on 
the channelling constraints reduces X 4 to the singleton domain {4}. For the reverse 
direction, consider a 5 variable permutation problem with xi = X 2 = X 3 = {1, 2} and 
X 4 = X 3 = {3, 4, 5}. This is ACc but not PIC^. □ 

5.7 Singleton Arc-Consistency 

Debruyne and Bessiere also showed that SAC is a promising hltering technique above 
both AC, RPC and PIC, pruning many values for its CPU time PDB97H . Prosser et al. 
reported promising experimental results with SAC on quasigroup problems, a multiple 
permutation problem BPS WOO II . Interestingly, as with AC (but unlike RPC and PIC which 
lie between AC and SAC), channelling constraints are tighter than the primal not-equals 
constraints wrt SAC. 
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Theorem 8. On a permutation problem: 

GAC\/ — y -O' SAC^q -O' SACq — y SAC^^ ACq 

Proof. To show S ACc — S AC^ , consider a permutation problem that is S ACc and any 
instantiation for a primal variable Xi. Suppose that the primal not-equals model of the 
resulting problem cannot be made AC. Then there must exist two other primal variables, 
say Xj and Xk which have at most one other value. Consider the dual variable associated 
with this value. Then under this instantiation of the primal variable Xi, enforcing AC 
on the channelling constraint between the primal variable Xi and the dual variable, 
and between the dual variable and Xj and Xk results in a domain wipeout on the dual 
variable. Hence the problem is not SACc. This is a contradiction. The primal not-equals 
model can therefore be made AC following the instantiation of Xi. That is, the problem 
is SAC^. To show strictness, consider a 5 variable permutation problem with domain 
xi = X 2 = x^ = X 4 = {0, 1, 2} and x^ = {3, 4}. This is SAC^ but not SACc. 

To show GACv — SACc, consider a permutation problem that is GACy- Consider 
any instantiation for a primal variable. This can be consistently extended to all variables 
in the primal model. But this means that it can he consistently extended to all variables in 
the primal and dual model, satisfying any (combination of) permutation or channelling 
constraints. As the channelling constraints are satisfiable, they can be made AC. Consider 
any instantiation for a dual variable. By a similar argument, taking the appropriate 
instantiation for the associated primal variable, the resulting problem can be made AC. 
Hence, given any instantiation for a primal or dual variable, the channelling constraints 
can be made AC. That is, the problem is SACc, To show strictness, consider a 7 variable 
permutation problem with xi = X 2 = x^ = X 4 = { 0 , 1 , 2 } and X 5 = xq = xr = 
{3, 4, 5, 6 }. This SACc hut is not GACy. 

To show SAC^ 0 ACc, consider a four variable permutation problem in which xi 
to X 3 have the {1, 2, 3} and X 4 has the domain {0, 1, 2, 3}. This is SAC^ but not ACc. 
For the reverse, consider a 4 variable permutation problem with xi = X 2 = (0, 1} and 
X 3 = X 4 = {0, 2, 3}. This is ACc but not SAC^. □ 

5.8 Strong Path-Consistency 

Adding primal or dual not-equals constraints to channelling constraints does not help 
AC or SAC. The following result shows that their addition does not help higher levels 
of local consistency like strong path-consistency (ACPC). 

Theorem 9. On a permutation problem: 

GAC\f ACPC^c^ -O' AGPG^c ACPCc — y ACPC^ ACc 

Proof. To show ACPCc — ACPC^, consider some channelling constraints that are 
ACPC. Now ACc — AC^, so we just need to show PCc — PC^. Consider a consistent 
pair of values, I and m for a pair of primal variables, Xi and xj. Take any third primal 
variable, Xk- As the constraint between di, dm and Xk is PC, we can find a value for 
Xk consistent with the channelling constraints. But this also satisfies the not-equals 
constraint between primal variables. Hence, the problem is PC^. To show strictness. 
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consider a 4 variable permutation problem with X\ = X 2 = x^, = xn = {1, 2, 3}. This 
is ACPC^ but not ACPCc. 

To show ACPC^c^ o ACPC^c ^ ACPCc, we recall that AC^c AC^c ACc. 
Hence we need just show that PC^c PC^c ^ PCc- Consider a permutation problem. 
Enforcing PC on the channelling constraints alone infers both the primal and the dual 
not-equals constraints. Hence, PC^c PC^c PCc- 

To show GACv 0 ACPC^c/> consider a 6 variable permutation problem with Xi = 
X 2 = X 3 = X 4 = {1, 2, 3}, and x^ = xq = {4, 5, 6}. This is ACPC^c^^ but not GACy. 
For the reverse direction, consider a 3 variable permutation problem with the additional 
binary constraint even{x\ + 0:3). Enforcing GACy. prunes the to x\ = x^ = {1,3}, 
and X2 = {2}. However, these domains are not ACPC^c/- Enforcing ACPC tightens 
the constraint between x\ and x^ from not-equals to a;i = 1, Xs = 3 or x\ = 3, X3 = 1. 

To show ACPC^ 0 ACc, consider a 5 variable permutation problem with x\ = X 2 = 
X 3 = {1, 2}, and X 4 = X 5 = {3, 4, 5}. This is ACc but not ACPC^. For the reverse 
direction, consider again the 4 variable permutation problem with Xi = X 2 = X 3 = 
X4 = {1, 2, 3}. This is ACPC^ but not ACc. C 

5.9 Multiple Permutation Problems 

These results extend to multiple permutation problems under a simple restriction that 
the problem is triangle preserving ISW991 (that is, any triple of variables which 
are all-different must occur together in at least one permutation). For example, 
all-diff(a;i, X2, 2:4), all-diff(a;i, X3, X 3 ), and all-diff(a;2, 2:3, a;6) ^6 not triangle preserv- 
ing as xi, a;2 and X 3 are all-different but are not in the same permutation. The following 
theorem collects together and generalizes many of the previous results. 

Theorem 10. On a multiple permutation problem: 

GAC\f ACPC^c^ ACPCz^c ACPCc — ^ ACPC^ (S) ACc 

j, { { { 



GAC\f — ySA.C^c^ 


■O' SACz^c 


■O SACq — y SACz^ 


® ACc 




i 


i 


i 




GACy ^PIC^c^ 


^ PIC^c 


— y PICq 0 PIC^ 


® ACc 


i 


i 


i 


i 




GACy — yRPC^c^ 


— ^ RPC^c 


— y RPCq 0 RPC^ 


® ACc 


i 


i 


i 


i 




GACy — yAC^cy^ 


•O' AC^c 


O' ACc 


oAC^ 


<r-BCc 


i i 


i 


i 


i 




BCy — yBC^Q^ 


0 BC^c 


0 ^ BCq 


-tBC^ 





Proof. The proofs lift in a straight forward manner from the single permutation case. 
Local consistencies like ACPC, SAC, PIC and RPC consider triples of variables. If 
these are linked together, we use the fact that the probem is triangle preserving and 
a permutation is therefore defined over them. If these are not linked together, we can 
decompose the argument into AC on pairs of variables. Without triangle preservation, 
GACy, may only achieve as high a level of consistency as AC^. For example, consider 
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again the non-triangle preserving constraints in the last paragraph. If X\ = X 2 = = 

{ 1 , 2 } and X 4 = X 5 = Se = { 1 , 2 , 3} then the problem is GACy, but it is not RPC^, 
and hence neither PIC^, SAC^ nor ACPC^ . □ 

6 SAT Models 

Another solution strategy is to encode permutation problems into SAT and use a fast 
Davis-Putnam (DP) or local search procedure. For example, IBMOOII report promising 
results for propositional encodings of round robin problems, which include permutation 
constraints. We consider just “direct” encodings into SAT (see iWalOOl for more details). 
We have a Boolean variable Xij which is true iff the primal variable Xi takes the value 
j. In the primal SAT model, there are n clauses to ensure that each primal variable takes 
at least one value, 0{n^) clauses to ensure that no primal variable gets two values, and 
0{n^) clauses to ensure that no two primal variables take the same value. Interestingly 
the channelling SAT model has the same number of Boolean variables as the primal SAT 
model (as we can use Xij to represent both the jth value of the primal variable Xi and 
the ith value for the dual variable dj), and just n additional clauses to ensure each dual 
variable takes a value. The O(n^) clauses to ensure that no dual variable gets two values 
are equivalent to the clauses that ensure no two primal variables get the same value. The 
following result show that MAC is tighter than DP, and DP is equivalent to FC on these 
different models. 



Theorem 11. On a permutation problem: 



MGACy MAC^c^ 0 MAC^c 


0 MACc 


-^MAC^ 


i i 


i 


X 


AlGACy — y DP^c^ P^P^c 


0 DP c 


^DP^ 




X 


X 


A/GACy — y -O' FC^q 


0 FCc 


^ FC^ 



Proof. DP^ o FC^ is a special case of Theorem 14 in fWalOOI . whilst MAC^ — ?► FC^ 
is a special case of Theorem 15. To show DP^, FCc suppose unit propagation sets a 
literal 1. There are four cases. In the first case, a clause of the form Xu V ... V Xin has 
been reduced to an unit. That is, we have one value left for a primal variable. A fail first 
heuristic in FC picks this last value to instantiate. In the second case, a clause of the 
form ^Xij V ^Xik for j f k has been reduced to an unit. This ensures that no primal 
variable gets two values. The FC algorithm trivially never tries two simultaneous values 
for a primal variable. In the third case, a clause of the form -•Xij V ~'Xkj for i k 
has been reduced to an unit. This ensures that no dual variable gets two values. Again, 
the FC algorithm trivially never tries two simultaneous values for a dual variable. In the 
fourth case, X\j V ... V Xnj has been reduced to an unit. That is, we have one value left 
for a dual variable. A fail first heuristic in FC picks this last value to instantiate. Hence, 
given a suitable branching heuristic, the FC algorithm tracks the DP algorithm. To show 
the reverse, suppose forward checking removes a value. There are two cases. In the first 
case, the value i is removed from a dual variable dj due to some channelling constraint. 
This means that there is a primal variable Xk which has been set to some value I f j. 



388 



T. Walsh 



Unit propagation on -^Xu V -^X^j sets Xkj to false, and then on ~<Xij V -'Xkj sets Xij 
to false as required. In the second case, the value i is removed from a dual variable dj , 
again due to a channelling constraint. The proof is now dual to the first case. 

To show MACc — )> DPc, we use the fact that MAC dominates FC and FCc O DPc. 
To show strictness, consider a 3 variable permutation problem with additional binary 
constraints that rule out the same value for all 3 primal variables. Enforcing AC on the 
channelling constraints causes a domain wipeout on the dual variable associated with 
this value. As there are no unit clauses, DP does not immediately solve the problem. 

To show DPc — )> DP^ , we note that the channelling SAT model contains more clauses. 
To show strictness, consider a four variable permutation problem with three additional 
binary constraints that if x\ = 1 then X2 — “2., — 2 and x^ — 2 are all ruled out. 

Consider branching on xi = 1. Unit propagation on both models sets X 12 , X 22 , A 32 , 
X42 , X21 , A 31 and X41 to false. On the channelling SAT model, unit propagation against 
the clause X12 V X 22 V A 32 V X42 then generates an empty clause. By comparison, unit 
propagation on the primal SAT model does no more work. □ 



7 Asymptotic Comparison 

The previous results tell us nothing about the relative cost of achieving these local con- 
sistencies. Asym ptotic analysis adds detail to the results. Regin’s algorithm achieves 
GACv in 0{n'^) |R94| . AC on binary constraints can be achieved in 0{ed^) where e is 
the number of constraints and d is their domain size. As there are channelling 

constraints, ACc naively takes 0(n'^) time. However, by taking advantage of the func- 
tional nature of channelling constraints, we can reduce this to O(n^) using the AC-5 
algorithm of IIHDT921 . AC^ also naively takes O(n^) time as there are 0(n'^) binary 
not-equals constraints. However, we can take advantage of the special nature of a binary 
not-equals constraint to reduce this to O(n^) as each not-equals constraint needs to be 
made AC just once. Asymptotic analysis thus offers no great surprises: we proved that 
GACv — >■ ACc — > AC^ and this is reflected in their O(n^), O(n^), 0(n^) respective 
costs. Thus, GACv achieves the greatest pruning but at the greatest cost. We need to run 
experiments to see if this cost is worth the additional pruning. 



8 Experimental Comparison 

On Langford’s problem, a permutation problem from CSPLib, Smith found that MAC 
on the channelling and other problem constraints is often the most competitive model 
for finding all solutions IlSmiOOI . MACc (which takes O(n^) time at each node in the 
search tree if carefully implemented) explores a similar number of branches to the more 
powerful MGACv (which takes O(n^) time at each node in the search tree) . This suggests 
that MACc may offer a good tradeoff between the amount of constraint propagation and 
the amount of search required. For finding single solutions. Smith’s results are somewhat 
confused by the heuristic accuracy. She predicts that these results will transfer over to 
other permutation problems. To confirm this, we ran experiments in three other domains, 
each of which is combinatorially challenging. 
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8.1 All-Interval Series 

Hoos has proposed the all-interval series problem from musical composition as a bench- 
mark for CSPLib. The ais{n) problem is to find a permutation of the numbers 1 to n, 
such that the differences between adjacent numbers form a permutation from 1 to n — 1. 
Computing all solutions is a difficult combinatorial problem. As on Langford’s problem 
ISmiOOl , MACc visits only a few more branches than MGACy ■ Efficiently implemented, 
MACc is therefore the quickest solution method. 



Table 1. Branches to compute all solutions to ais{n). 



n 


MACy 


MACc 


MGACy 


6 


135 


34 


34 


7 


569 


153 


152 


8 


2608 


627 


626 


9 


12137 


2493 


2482 


10 


60588 


10552 


10476 


11 


318961 


47548 


47052 



8.2 Circular Golomb Rulers 

A perfect circular Golomb ruler consists of n marks arranged on the circumference of 
a circle of length n(n — 1) such that the distances between any pair of marks, in either 
direction along the circumference, form a permutation. Computing all solutions is again 
a difficult combinatorial problem. Table 2 shows that MGACy is very competitive with 
MACc- Indeed, MGACy has the smallest runtimes. We conjecture that this is due to 
circular Golomb rulers being more constrained than all-interval series. 



Table 2. Branches to compute all order n perfect circular Golomb rulers. 



n 


MACy 


MACc 


MGACy 


6 


202 


93 


53 


7 


1658 


667 


356 


8 


15773 


5148 


2499 


9 


166424 


43261 


19901 



8.3 Quasigroups 

Achlioptas et al have proposed completing a partial filled quasigroup as a benchmark 
for SAT and CSP algorithms rAGKSOOI . This can be modeled as a multiple permutation 
problem with 2n intersecting permutation constraints. A complexity peak is observed 
when approximately 40% of the quasigroup is replaced by “holes”. Table 3 shows the 
increase in problem difficulty with n. Median behavior for MACc is competitive with 
MGACy. However, mean performance is not due to a few expensive outliers. A random- 
ization and restart strategy reduces the size of this heavy-tailed distribution. 
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Table 3. Branches to complete 100 order n quasigroup problems with 40% holes. 





median 


mean 


n 


MAC^ 


MACc 


MGACv 


MAC^^ 


MACc 


MGACv 


5 


1 


1 


1 


1 


1 


1 


10 


1 


1 


1 


1.03 


1.00 


1.01 


15 


3 


1 


1 


7.17 


1.17 


1.10 


20 


23313 


7 


4 


312554 


21.76 


12.49 


25 


- 


249 


53 


- 


8782.4 


579.7 


30 


- 


5812 


398 


- 


2371418 


19375 



9 Related Work 

Chen et al. studied modeling and solving the n-queens problem, and a nurse rostering 
problem using channelling constraints HCCLW991 . They show that channelling con- 
straints increase the amount of constraint propagation. They conjecture that the over- 
heads associated with channelling constraints will pay off on problems which require 
large amounts of search, or lead to thrashing behavior. They also show that channelling 
constraints open the door to interesting value ordering heuristics. 

As mentioned before. Smith studied a number of different models for Langford’s 
problem, a permutation problem in CSPLib ISmiOOH . Smith argues that channelling con- 
straints make primal not-equals constraints redundant. She also observes that MAC on 
the model of Langford’s problem using channelling constraints explores more branches 
than MGAC on the model using a primal all-different constraint, and the same number 
of branches as MAC on the model using channelling and primal not-equals constraints. 
We prove these results hold in general for (multiple) permutation problems and that the 
gap can be exponential. However, we also show that they do not extend to algorithms 
that maintain certain other levels of local consistency like restricted path-consistency. 
Smith also shows the benehts of being able to branch on dual variables. 



10 Conclusions 

We have performed an extensive study of a number of different models of permutation 
problems. To compare models, we defined a measure of constraint tightness parameter- 
ized by the level of local consistency being enforced. We used this to prove that, with 
respect to arc-consistency, a single primal all-different constraint is tighter than chan- 
nelling constraints, but that channelling constraints are tighter than primal not-equals 
constraints. Both these gaps can lead to an exponential reduction in search cost. For lower 
levels of local consistency (e.g. that maintained by forward checking), channelling con- 
straints remain tighter than primal not-equals constraints. However, for certain higher 
levels of local consistency like path inverse consistency, channelling constraints are 
incomparable to primal not-equals constraints. 

Experimental results on three different and challenging permutation problems con- 
firmed that MAC on channelling constraints outperformed MAC on primal not-equals 
constraints, and could be competitive with maintaining CAC on a primal all-different 
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constraint. However, on more constrained problems, the additional constraint propaga- 
tion provided by maintaining GAC on the primal all-different constraint was beneficial. 
We believe that these results will aid users of constraints to choose a model for a permu- 
tation problem, and a local consistency property to enforce on it. They also illustrate a 
methodology, as well as a measure of constraint tightness, that can be used to compare 
different constraint models in other problem domains. 
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Abstract. Binary propositional theories, composed of clauses with at 
most two literals, are one of the most interesting tractable subclasses 
of the satisfiability problem. We present two hybrid simplification al- 
gorithms for binary theories, which combine the unit-resolution-based 
2SAT algorithm BinSat with refined versions of the classical strongly 
connected components (SCC) algorithm of [T|. We show empirically that 
the algorithms are considerably faster than other SCC-based algorithms, 
and have greater simplifying power, as they combine detection of en- 
tailed literals with identification of SCCs, i.e. sets of equivalent literals. 
By developing faster simplihcation algorithms we hope to contribute to 
attempts to integrate simplification of binary theories within the search 
phase of general SAT solvers. 



1 Introduction 

Binary propositional theories, composed of clauses with at most two literals, are 
one of the most interesting tractable subclasses of the well-known satisfiability 
problem. In addition to quick decision of satisfiability, binary theories also offer 
opportunities for efficient simplification, in particular through the derivation of 
entailed literals and of sets of equivalent literals, which can be eliminated. 

The goal of this paper is to reduce the overhead of binary clause reasoning 
so that it results (hopefully) in affordable per-node costs when used within the 
search phase of a DPLL-style general SAT solver [7I11J . While solving pure 
binary problems is by itself not that interesting, simplifying the binary subset of 
a general propositional theory has a lot of potential in helping to solve general 
SAT problems. Indeed, binary clause reasoning has demonstrated substantial 
pruning power when used on the binary subsets of the theories associated to 
each node in the backtracking search tree of such solvers ITM8I , or even only 
at the root of this tree, i.e. as preprocessing |2I3| . 

But the additional simplifying power of binary clause reasoning is not with- 
out cost, and this cost cannot always be justified. Hence our goal to reduce the 
overhead. The lack of a measurable impact in overall efficiency probably explains 
the relative scarcity of literature on integrating binary simplification methods 
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into general SAT solvers. Most telling, and probably still valid, is the story be- 
yond one of the earliest attempts known to us toward integrating binary clause 
reasoning into general solvers. In the 1993 SAT competition held in Paderborn 
U], the second-rated solver was identical to the top-rated solver except for the 
addition of significant amounts of binary clause reasoning. The second solver 
eliminated equivalent literals, as found by the classical strongly connected com- 
ponents (SCCs) algorithm for 2SAT presented by Aspvall et al. in [1], and derived 
unit clauses entailed by the binary subset of a theory at each search node. Un- 
fortunately, the second solver was significantly slower, even though it expanded 
a significantly smaller search tree. Though there’s been other quite interesting 
approaches to incorporating binary reasoning, perhaps most competitively the 
solver 2cl by van Gelder m. we can record the fact that this kind of reasoning 
has not really made it into current general SAT solvers, except as a preprocessing 
stage or in ad hoc ways. For example, Brafman recently reports [3] abandoning 
an attempt to integrate his successful preprocessing 2SAT-based simplifier within 
search, again after noticing a very high overhead. 

l. 1 Contributions 

We present two new simplification methods for binary theories which reduce the 
overhead, and thus have better potential for successful integration within search. 
Both algorithms, to which we will refere generically as BinSatSCC, are hybrids 
between the unit-resolution-based algorithm BinSat recently proposed by del Val 
0, and the classical SCC-based 2SAT algorithm introduced by Aspvall et al. in 
jl], which we will call APT-SCC. Both versions of BinSatSCC augment BinSat’s 
depth-first unit resolution with the ability to detect SCCs, differing only in the 
underlying SCC algorithm. BinSatSCC-1 uses a variant of the SCC algorithm of 

m, and is closely related to the algorithm HyperCC of jl^. BinSatSCC-2, in 
turn, is based on the SCC algorithm described in [^, using BinSat to dynami- 
cally restrict the implication graph of a binary theory to the nodes appearing in 
the model generated by BinSat, and thus to half the nodes of the graph searched 
by other SCC algorithms. Both BinSatSCC algorithms yield: (a) much faster de- 
tection of unsatisfiability than with APT-SCC; (b) identification of a significant 
subset of the entailed literals, which is out of the scope of APT-SCC; (c) faster 
identification of sets of equivalent literals than with APT-SCC. 

Our general conclusion is unequivocally positive: BinSatSCC achieves strictly 
more simplification than APT-SCC in significantly less time. The greater sim- 
plifying power derives from (b) and (c), where BinSat only achieves (b) and 
APT-SCC only achieves (c). As for efficiency, we show empirically that Bin- 
SatSCC algorithms provide a speed up by a factor of at least close to 2 with 
respect to APT-SCC on all problems, and even more on unsatisfiable ones. Com- 
pared to BinSat, we must again distinguish between satisfiable and unsatisfiable 
problems. On satisfiable problems, both versions of BinSatSCC are less efficient 
than BinSat (it could not be otherwise, as both algorithms augment BinSat), 
in return for greater simplifying power; and BinSatSCC-1 is clearly the fastest 
version. On unsatisfiable problems, on the other hand, BinSatSCC-2 is exactly 
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as efficient as BinSat, whereas BinSatSCC-1 incurs a relatively significant over- 
head. There is thus no clear winner, but since unsatisfiable problems are usually 
easier, the balance seems to lean towards BinSatSCC-1. 



1.2 Structure of the Paper 

The structure of this paper is as follows. Section |5] introduces the implication 
graph of binary theories, the main data-structure used by all algorithms studied 
in this paper. Sections and |4] review the building blocks of our new algo- 
rithms, respectively SCC-based algorithms and BinSat. Section |5] presents the 
BinSatSCC algorithms and prove their correctness. Section provides exper- 
imental data which confirm the claims made in this paper, in particular the 
advantages of BinSatSCC over APT-SCC in efficiency and simplifying power. 



2 Searching the Implication Graph 

We begin with some formal preliminaries, in particular in connection with the 
“implication graph” of binary theories, which is searched by all algorithms in 
this paper. We assume familiarity with the standard literature on propositional 
reasoning, specially with clausal theories. We use lower case letters for literals 
(e.g. a,b,x,y, where 5 is 6 negated), and treat clauses as sets, though we write 
them as sequences (e.g. abc is the disjunction of these three literals). 

Definition 1 (Aspvall et al. [l]). The implication graph G{S) for a set of 
binary clauses S contains one node for each literal of S, and directed edges x ^ y 
whenever the clause xy is in S. 

An edge x — >■ y graphically represents an implication from x to y in S, where 
each clause provides two such implications. Paths in G{S) also correspond to 
logical implication, by the transitivity of the latter. 

For completeness, let us also define here: 

Definition 2. The transposed implication graph Gt{S) is defined by inverting 
the direction of all edges in G{S). 



Definition 3. A strongly connected component (SCC) of a graph G is a maximal 
subset G of nodes of G such that for every u,v € C, there are paths in G from 
u to V and from v to u. 

Clearly, if two literals belong to a SCC of G{S), then S entails that they are 
equivalent, because of the correspondence between paths and implications. 

Example 1. Consider the theory S = {db,bc, cb^cd, de, ec}. Its implication graph 
is shown in Figure [TJa. We can see, for example, that there is a path from b 
to b, indicating the chain of implications b ^ c ^ b, from which b, and then 
a, can be derived as unit clauses entailed by S. We can also see that there is 
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(b) Transposed implication graph 



Fig. 1. Graphs for Example 1. 



a cycle, c — )> d — >■ e — >■ c, which constitutes one SCC of G{S). Thus, S entails 
that all the literals in the cycle are equivalent, so all occurrences of, say, d 
and e can be replaced by c, and the clauses linking variables from the SCC 
eliminated. If this simplification is performed during expansion of a backtrack- 
like search tree, it directly prunes the exponential growing factor of this tree, by 
decreasing the number of variables. In this particular example, we began with a 
five variable problem which contained no unit clauses and we ended up with a 
single unassigned variable, namely c. 



The implication graph presents a large degree of symmetry as a result of its 
“redundant” representation of each binary clause by two edges in the graph. This 
has some interesting properties. For every edge x ^ y, there’s an edge y — >■ T, 
a notion of “contraposition” which can also be generalized to paths. For every 
(consistent) SCC, furthermore, there’s a complementary SCC with the sign of all 
literals changed (in the example, the cycle c — >■ d — >■ e — > c). Finally, symmetry 
also shows up in the the transposed graph Gt(S), which, as can be seen in 
Figure □b, can be obtained by simply swapping each pair of complementary 
literals in G{S), i.e. by negating the label associated to each node. 

All the algorithms discussed in this paper can be entirely cast as depth first 
search of the implication graph. It is worth noting that G{S) is at least implicitly 
built by any DPLL solver, which must index its binary clauses somehow. In 
the implementations tested, we used the data-structures of compact [H], which 
include an explicit representation of G{S) in the form of adjacency lists for each 
literal. At any rate, any data structure that supports efficient unit resolution on 
binary clauses can be used to represent G{S) and search it. Thus, the studied 
algorithms represent no data-structure overhead for standard DPLL solvers. 
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3 see Algorithms 

We begin our review of the building blocks of BinSatSCC by SCC algorithms. As 
said, such algorithms are based on depth first search (DFS) of G{S), so let’s fix 
some terminology about DFS for later reference. Following a classic algorithm 
book [5j , DFS has a top level loop which iterates over all nodes of a graph, calling 
a subroutine DFS-Visit for each undiscovered node. DFS-visit, in turn, simply 
marks the node as discovered, and iterates over its adjacency list, recursively 
calling DFS-visit on each as yet undiscovered node in the list. When finished 
with an adjacency list, DFS-visit terminates, possibly associating a “finishing 
time” to the node whose visit is concluding. 

APT-SCC searches for SCCs of G{S), determining S unsatisfiable just in case 
it finds a SCC with complementary literals. If no such SCC is found, APT-SCC 
can output the SCCs for simplification of the theory. We consider in fact two 
different SCC algorithms for APT-SCC. SCC-1, as we will call it, is the classical 
SCC algorithm by Tarjan [12]. It obtains SCCs with one DFS over G{S), by 
keeping track of earliest “back edges” (leading to an ancestor node) found along 
the search. SCC-2 is an alternative algorithm described in e.g. [5], which requires 
two depth first searches. The goal of the first DFS, over G{S), is only to sort 
the nodes (literals) by reverse ordering of finishing time. This can be achieved 
quite simply by pushing nodes into a stack as they are finished, so that the 
latest finished node is on top of the stack at the end. The second DFS is over 
the transposed graph Gt{S), processing nodes in the top loop in the ordering 
returned by the first search. Each of the trees in the depth first forest generated 
by the second DFS is a SCC of G(S')0 

Accordingly, we have two algorithms, APT-SCC-1 and APT-SCC-2. We note 
that APT-SCC-1 is the original APT-SCC as proposed in [T], whereas APT-SCC- 
2 is a previously unreported variation, which happens to yield quite interesting 
conclusions. In particular, APT-SCC-2 benefits from the fact that the transposed 
graph is already implicit in G{S), and thus needs not be computed explicitly. 
This is illustrated in Figure Hlb. Specifically, the adjacency list of a literal x in 
Gt{S) can be obtained by inverting the sign of all literals in the adjacency list 
of the (also negated) literal x in the original graph G{S). For a; — >■ j/ is an edge 
in in the transposed graph Gt{S) iff y — a; is an edge in the original G{S), iff 
yx G S, iS X ^ y is an edge of G{S). 

4 BinSat 

The algorithm BinSat proposed by del Val in jS] does a single depth first search of 
the graph, following “unit resolution paths” across G{S). The algorithm appears 
in Figured! taken from [n|. Further description of BinSat can be found there, 
though we provide below some explanation to understand the pseudocode. 

^ Note that the numbers in SCC-1 and SCC-2 can be used to denote historical prece- 
dence, but also as mnemonic for the number of DFSs done by each algorithm. 
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Procedure TempPropUnit(a;) 

j* Input: A literal x to be tentatively assigned. */ 

if tempval(x) = false /* temporary conflict, S ^ x ^ x * / 
then set S := PropUnit{S U {a;}) and return; 
tempval{x) ;= true; tempval(x) := false; 

foreach yx £ S do: 

if (□ € S' or permval{x) 7 ^ NIL) then return; 

if (permval{y) = NIL and tempval(y) true) then TempPropUnit(y); 



Procedure BinSat(S) 

/* Input: A binary clausal theory S * / 

foreach literal a; of S do: 

tempval(x) := permval{x) := NIL; 

S := PropUnit{S); 

while (□ ^ S and there exists a literal x s.t. permval{x) = tempval{x) = NIL) do: 
TempPropUnit(a:); 

If □ G S 

then return Unsatisfiable; 
else return GetModel(); 



Fig. 2. BinSat algorithm for 2-SAT i- See text for explanations. GetModel() returns, 
for each variable, its permval if non-null, and otherwise its tempval. 



BinSat keeps track of tentative assignments tempval, and permanent assign- 
ments permval for each literal (in practice, for each variable, but this would 
obscure the pseudocode). The former are assigned as a result of tentatively as- 
suming a literal and propagating its consequences by depth-first unit resolution, 
using the subroutine TempPropUnit; the latter denote forced (entailed) literals, 
and are set by a subroutine PropUnit, which (unlike TempPropUnit) stands for 
any implementation of unit resolution. We only assume that the assignments 
forced by PropUnit are recorded as permanent values by setting permvaVs, and 
that it generates the e^ty clause, denoted □ in the pseudocode, when it reaches 
a global contradictionlfl 

BinSat shares the structure of DPS. TempPropUnit corresponds to DFS- 
Visit, recursively calling itself for each undiscovered member of the “adjacency 
list” . It takes charge of propagating tentative assignments in depth first fashion, 

^ Figure [ 2 ] differs from the original in in explicit tests for nnll permvaVs, so that 
no processing of forced variables takes place after they are set by PropUnit. These 
tests were unnecessary in |9j because of an explicit assumption (which is lifted here) 
that PropUnit effectively deleted subsumed clauses. 
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with tempvaVs being used as “discovered” marks. It differs from DFS-Visit only 
in its ability to detect entailed literals, triggering a call to PropUnit which prop- 
agates permanent assignments. The top level loop of BinSat is also identical to 
DFS, except that it only iterates over half the nodes of G{S), as it only tries 
each variable with one sign. The same applies to TempPropUnit, if we disregard 
variables which are assigned by PropUnit. These are the only ones visited by 
TempPropUnit with both signs; once they are assigned, we can treat them as if 
they no longer existed in the graph. 

Example 2 (continued) . A sample run of BinSat on Example [T] could start by 
calling TempPropUnit(a). This would result in traversing the path a — >■ 6 — >■ c — > 
h in G(S) (see Figure HJ, causing a subsequent call to PropUnit(b) which would 
conclude b and d as entailed literals. As shown in [Hj, the DFS approach of Temp- 
PropUnit guarantees that such path is detected when TempPropUnit (6) is called 
after tempval{b) was already set to true. At any rate, search by TempPropUnit 
continues from c along the path c — >■ d — >■ e. After exhausting the adjacency 
lists for these literals, we are back into the TempPropUnit (5) call, which termi- 
nates immediately as b is now permanently valued; back into TempPropUnit(a), 
same thing happens, returning control to BinSat. Since all variables have a 
tentative or permanent (forced) value, BinSat terminates, returning the model 
M = {o, 6, c, d, e}, where c, d and e are the “tentatively assigned” literals of M 
(whose assignment does not lead to contradiction by unit resolution), and d and 
b are the entailed literals. 

5 BinSatSCC Algorithms 

We now present the new algorithms, which detect both (a subset of) entailed 
literals and the sets of equivalent literals provided by SCCs. As said, both operate 
over G{S), and use BinSat, either implicitly or explicitly, as depth-first search 
of G{S). As in BinSat, in a real implementation all information associated to 
literals in the pseudocode would actually be associated to variables^ 

BinSatSCC-1, described in FigureO uses a variant of Tarjan’s SCC-1 algo- 
rithm presented in | 15| . BinSatSCC-1 and its auxiliary routine TempPropUnit- 
SCC are augmented versions of BinSat and TempPropUnit, respectively. The 
additions are pretty straightforward, given [T^. We associate to each variable 
X a discovery time discovered{x) when its visit begins, and we keep track 
through lowlink(x) of the discovery time of the earliest ancestor of x in the 
DFS tree which is reachable from x. If the visit of x reaches some of its an- 
cestors, then at the end of the visit discovered{x) yf lowlink{x), and x is 
added to a stack of literals whose SCC has not yet been identified. Otherwise, 
discovered{x) = lowlink(x) at the end of the visit, and x is the root of a SCC 

® This follows from properties of BinSat, which guarantee that if a variable is visited 
with both signs then it acquires a permanent value, and hence becomes irrelevant 
for SCC computation. In contrast, APT-SCC algorithms must keep information for 
both signs of a variable. 
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Procedure TempPropUnit-SCC(a;) 



if tempval{x) = false /* temporary conflict, S \=x ^ x */ 
then set S := PropUnit{S U {®}) and return; 
tempvalix) := true; tempvalix) := false; 
time ;= time + 1; 

discovered(a;) ;= lowlink(a;) := time; 

foreach yx £ S do: 

if (□ G S' or permvalix) NIL) then return; 
if permval{y) = NIL 

then if tempval{y) 7^ true /* if literal y not visited yet (with same sign) * / 
then TempPropUnit-SCC(y); 

lowlink(a;) := min(lowlink(a;),lowlink(j/)); 
elseif not done(y) 

then lowlink(j;) ;= min(lowlink(a;),discovered(j/)); 
if permvalix) = NIL 
then if lowlink(a:) discovered(a:) 
then push(®, stack); 
else /* X is root of SCC */ 
done(a;) := true; 
make the set currentSCC empty 

while (stack f: 0 and discovered(top(stack)) > discovered(a;)) 

« = pop(stack); 
done(z) := true; 

if ipermval{z) = NIL) then push(2, currentSCC); 
output currentSCC U{a:}; 



Procedure BinSatSCC-l(S) 



time 0; stack := 0; 
foreach literal a: of S do: 

tempval{x) — permvalix) := NIL; 
done)®) := false; 

S — PropUnitiS); 

while (□ ^ S and there exists a literal x s.t. permvalix) = tempvalix) = NIL) do: 
TempPropUnit-SCC (®) ; 
if □ G S 

then return Unsatisfiable; 
else return GetModel(); 



Fig. 3. Algorithm BinSatSCC- 1 . The framed code corresponds to the original Temp- 
PropUnit, so that the additions can be seen clearly. 
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whose other members are all literals in the stack discovered later than x. All 
of them are then popped and outputted as a SCC, all of whose members are 
marked as done. 

Example 3 (continued) . We illustrate a possible run of BinSatSCC on Exam- 
ple [T] The structure of the DFS is identical to that of BinSat, so that reaching 
b makes a and b permanently valued false. The visit to c (originating from b) 
reaches d and then e, at which point the edge e — >■ c is found. This causes the 
update of lowlink{e)^ and thus e is pushed to the stack, and then similarly for 
d. After finishing d, c is found to be the root of a SCC which also contains all 
literals in the stack discovered after c (i.e. d and e). 

BinSatSCC-1 can be seen as a simplified (and correct) version of the Hy- 
perCC algorithm introduced by Pretolani in |16| . The main differences are: a) 
we use the simpler implication graph instead of Pretolani’s hypergraph repre- 
sentation, thus requiring basically no additional data structures beyond those 
used by standard DPLL SAT solvers; b) our formulation is in term of unit res- 
olution, which we believe is easier to understand and makes the relationship 
with standard SAT solvers more transparent; c) BinSatSCC- 1 uses a slightly 
more efficient version of Tarjan’s SCC-1 algorithm, which reduces the number 
of stack operation^; d) finally, we fix a bug in Pretolani’s algorithm, by which 
literals which become permanently valued during their own visit (and thus after 
being pushed onto the stack in Tarjan’s algorithm, see previous footnote) will 
be incorrectly reported as members of the next generated (unvalued) SCC. 

BinSatSCC-2, our second algorithm, can be described as a modified SCC-2 
algorithm over a restricted implication graph, where this restriction is obtained 
by using BinSat as first DFS of the SCC-2 algorithm. Pseudocode is provided in 
Figure m The first step of BinSatSCC-2 is to call BinSat. This call ensures fast 
detection of unsatisfiable theories, and will detect a portion of entailed literals, 
for satisfiable ones (just as BinSatSCC-1). For the latter, the model obtained by 
BinSat is used to dynamically restrict G{S) to nodes (literals) satisfied in the 
model (and which are not known to be entailed); it also provides an ordering 
of those nodes for a second DFS on the restricted (transposed) graph. This 
second DFS is performed by BinSatSCC in the loop after the call to BinSat, 
with the procedure FindSCC corresponding to DFS-Visit over the restricted 
transposed graph. FindSCC keeps its own discovered mark for each literal to do 
the DFS, working on the transposed graph by examining adjacency lists of G{S) 
as described earlier. Note that it implicitly eliminates from the graph forced 
variables, by ignoring variables whose permval is set; and unforced literals not 
in the model, by requiring a true tempval to visit a node. 

Specifically, while Tarjan’s algorithm adds each literal to the stack when its visit 
begins, |15| version only pushes them onto the stack when the visit finishes, and 
only if they are not the root of a SCC. As a byproduct, “trivial” singleton SCCs are 
never added to the stack, nor literals which become permanently valued during their 
visit. Obviously, this can be beneficial if there are many literals of either kind. Note 
however that a SCC may become permanently valued true after being finished. 



Simplifying Binary Propositional Theories into Connected Components 401 



Procedure FindSCC(literal x) 



discover ed{x) := true-, 
push(a;,currentSCC); 

foreach yx £ S /* working on transposed graph, visit each y s.t. y £ Adj{x, G{S)) * / 
if (permval{y) = NIL and /* if y unforced/unvalued, and. . . * / 

tempval{y) = true and /* . . .y visited by BinSat, and. . . */ 

discovered(y) = false) j* . . .y not yet visited in second DFS */ 

then FindSCC(y) /* Note sign inversions throughout */ 



Procedure BinSatSCC-2(S) 

if (BinSat(S) = Unsatisfiable) then return Unsatisfiable; 
foreach literal x, discovered{x) := false; 

foreach literal x visited by BinSat, /* i.e. with tempval(x) = true */ 
in reverse order of finishing time, do: 
if {permval(x) = NIL and discovered(x) = false) 
then make the set currentSCC empty; 

FindSCC(a;); 
output currentSCC; 



Fig. 4. Algorithm BinSatSCC-2. 



Example 4 (continued). BinSatSCC-2 on Example [T] could proceed as follows. 
First, the call to BinSat can proceed as in Example^ The ordering for the second 
search, which will ignore the entailed literals d and b, is c,d,e. Search on the 
transposed graph traverses backwards the c e ^ d path of G{S), outputting 
the see with these three literals, and then terminates since all remaining literals 
in the model are visited. Note that BinSatSee traverses fewer edges in total than 
APT-See-2 in its first search. 

Thus, if we ignore the derivation of entailed literals by BinSat (which is itself 
a source of significant simplification), BinSatSCC-2 can be described as APT- 
SCC-2 on the restricted graph, which, note, has at most half as many nodes 
as G{S). For whatever is worth, we remark that this a “semantic” restriction 
of G{S), as is determined by a model, and that it is “dynamically generated” 
during search, i.e. it is not known in advance before calling BinSat. 

Theorem 1. BinSatSCC-1 and BinSatSCC-2 correctly decide the satisfiability 
of any binary propositional theory S, and correctly identify a subset of the literals 
entailed by S. If S is satisfiable, both algorithms correctly output a set of SCCs 
(sets of equivalent literals) which includes all variables without permanent value. 
The algorithm runs in time linear in the number of clauses. 
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Proof. For both algorithms, complexity follows from the complexity of BinSat and 
depth first search. Correct decision of satisfiability and detection of entailed literals 
also follows from correctness of BinSat |5]. Assume therefore in what follows that S is 
satisfiable, to prove correct SCC detection. 

The correctness of BinSatSCC-1 follows from the correctness of the version of SCC-1 
we use, since the SCC aspects of TemPropUnitSCC simply ignore literals with perma- 
nent value (in particular, no snch literal will be added to currentSCC). 

For BinSatSCC-2, assume that all literals discovered by BinSat to be entailed by 
S have been simplified away from S (as said in the text, the algorithm ensures this in 
practice by ignoring variables with permanent, forced values). Thus we assume that all 
literals in S are only tentatively valued (with tempval) by BinSat. 

As already pointed out, BinSat’s control flow is the same as depth first search of 
G{S). In the top level loop it imposes the restriction that no variable is visited with 
both signs, then it interrnpts the search before completion (with respect to G{S)) when 
every variable is visited with exactly one sign. Let us now suppose that we take this 
initial DFS by BinSat (over the possibly simplified G{S), thus ignoring forced literals) 
as part of the initial DFS by APT-SCC-2, and let’s hypothetically proceed with a run 
of APT-SCC-2 on G(S). We’ll claim that the main loop of BinSatSCC-2 will obtain 
exactly the same SCCs as would be obtained by APT-SCC-2 when processing, in its 
second, transposed DFS, the literals visited by BinSat. Since these SCCs include every 
non-forced variable, the conclusion of the theorem follows from correctness of SCC-2. 

Let VISITED be the set of tentative literals assigned true by BinSat. Ignoring 
again forced values, continuing the first DFS by APT-SCC-2 would visit the literals, 
call them UNVISITED, that were not visited by BinSat (which are the complements 
of the literals in VISITED). Then APT-SCC-2 would start a second DFS, now on 
Gt(S), in reverse order of finishing times. Clearly, this means processing, at top level, 
all literals in UNVISITED before any one in VISITED (as the former were finished 
later in the first search) . We claim that this processing does not discover any VISITED 
literal. For suppose x G UNVISITED is visited at top level by the second DFS of APT- 
SCC-2, and let y be any descendant of x in this search. This implies that there is a 
“backwards” path a: j/ in G{S). It follows that y ^ VISITED, since otherwise 

X should have been reached during or before the visit of y by BinSat, in contradiction 
with X £ UN VISITED. 

We conclude that the transposed search over all literals in UNVISITED reaches 
no literal in VISITED. It follows that, when APT-SCC-2 concludes processing the 
UNVISITED literals in its transposed search, all the VISITED literals remain to be 
visited by the transposed search, and all UNVISITED literals are already discovered. 
BinSatSCC in effect treats all literals in UNVISITED as if they had already been 
discovered in the second search (by the simple device of ignoring literals not discovered 
in the first search by BinSat, i.e. whose tempval is not true); and when BinSatSCC 
begins its loop, no VISITED literal is marked as discovered, just as would happen with 
APT-SCC-2 when reaching that stage of its transposed search. Thus, BinSatSCC will 
do exactly the same processing of the VISITED literals as APT-SCC-2 would do, and 
in particular it will generate the same SCCs as APT-SCC-2 processing the VISITED 
literals. But the VISITED literals include all (unforced) variables with one sign, hence 
it will include every variable in some SCC in this phase. And this is all we need. □ 
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6 Experimental Study 

In this section, we present extracts from a substantial experimental study on bi- 
nary clause reasoning algorithms. All algorithms were implemented using data- 
structures similar to compact |H|, a polynomial simplifier for propositional 
clausal theories. In particular, compact uses, for each literal x, a list of lit- 
erals y such that xy is a clause of the input theory. It is easy to see that this 
is a quite explicit representation of G(S'), though compact uses it to do unit 
resolution much as most SAT solvers. BinSat in fact uses the implementation of 
unit resolution of compact, while APT-SCC-1 and APT-SCC-2 use this repre- 
sentation of G{S) to do their depth first visit(s). This common implementation 
makes the comparisons more meaningful. 

The implementations were as efficient as we could make them. One particular 
optimization which is worth mentioning is that neither APT-SCC algorithm 
generates complementary SCCs. For APT-SCC-1, this is achieved by visiting 
each variable with only one sign in the top level loop of DFS; the rationale is 
that after finishing a top level visit of x we have already generated its SCC, so 
there is no point in trying x. For APT-SCC-2, this is achieved by making its 
second search ignore, at the top level, variables already assigned to some SCC, 
with the same rationale]^ While these optimizations may appear obvious, they 
are not always implemented (e.g. ED; we ourselves didn’t optimize APT-SCC-1 
until late in the process, which initially led us to wrongly conclude that APT- 
SCC-2 was clearly superior to APT-SCC-1 on satisfiable problems. At any rate, 
these optimizations considerably reduce the difference in cost of both algorithms 
with respect to BinSatSCC. 

We used various random and non-random problem generators. First, we gen- 
erated random problems according to the fixed probability model of [nfl . We 
found a very sharp phase transition, so sharp that it seriously limited the range 
of interesting tests; a ratio between 0.9 and 1.1 clauses per variable was the only 
one likely to yield problems which were not trivially under or over constrained. 
We run tests on instances with 20,000, 60,000 and 100,000 variables, and also 
considered theories forced to be satisfiable. In the tables below, they are denoted 
R-numvars-numclauses, with qualifiers “forced” for instances forced satisfiable, 
and “sat” and “unsat” for unforced instances, with the obvious meaning. Sec- 
ond, we considered chains of binary theories, each on some subset of the vo- 
cabulary, linked in sequence by a couple of clauses with literals from precedent 
and subsequent cluster (these chains are introduced in El)- They are denoted by 
CH-nmnvars-numclauses-nmntheories, where numvar and numclauses are the 
numbers for each cluster (theory) in the chain. This gave raise to a much more 
interesting range of behaviors, and a less sharp transition, with respect to the 

® As can be gathered from the proof of correctness of BinSatSCC-2, we could further 
improve APT-SCC-2 by restricting its first DFS just as with APT-SCC-1. However, 
we feel that the resulting algorithm is more like “BinSatSCC-2 without detection of 
entailed literals” than “optimized APT-SCC-2,” so we see little point in testing it. 

® We used a variant of Van Gelder’s generator cnfgen, available at Dimacs, 
ftp : // dimacs .rutgers. edu/pub /challenge/satisfiability / 
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number of clusters (whereas increasing the clause/ variable ratio per cluster yields 
very easy unsatisfiable problems). Instance size ranges from clusters of 50 to 250 
variables, from 100 to 2000 clusters. Finally, we considered “variable chains”, 
the worst case instances described in Example 1 of [^, where each variable im- 
plies the next one, but the last variable in the chain is entailed false. These are 
denoted as VC-numvars. All data points include at least 20 instances, and were 
collected on a Pentium II 400MHz with 128MB of RAM, running Linux. 



Table 1. Average CPU time normalized for BinSat = 1. The numbers in parenthesis 
are average CPU time for BinSat, in milliseconds. 





APT-SCC 


BinSatSCC 




Problem 


ver. 1 


ver. 2 


ver. 1 


ver. 2 


BinSat 


R- 100000- 100000 sat 


3.12 


2.97 


1.51 


2.16 


1 (67) 


R- 100000- 100000 forced 


3.11 


3.04 


1.50 


2.20 


1 (64) 


R- 100000- 140000 forced 


3.43 


3.09 


1.55 


2.28 


1 (74) 


R- 100000-200000 forced 


3.28 


2.72 


1.45 


1.92 


1 (102) 


R- 100000- 120000 unsat 


41.14 


76.70 


3.78 


1.01 


1 (2) 


R- 100000- 140000 unsat 


78.06 


91.00 


3.97 


1.04 


1 (2) 


R- 100000-200000 unsat 


188.91 


139.64 


4.91 


1.02 


1 (1) 


CH- 100-60- 1000 sat 


2.30 


2.87 


1.30 


2.09 


1 (45) 


CH-100-100-1000 forced 


2.55 


3.00 


1.29 


2.14 


1 (50) 


CH-100-140-1000 forced 


2.71 


2.98 


1.28 


2.10 


1 (56) 


CH-150-90-1000 sat 


2.24 


2.70 


1.30 


1.94 


1 (73) 


CH-150-90-2000 forced 


2.23 


2.68 


1.28 


1.94 


1 (145) 


CH-200-120-1000 sat 


2.23 


2.70 


1.29 


1.93 


1 (97) 


CH- 100-60- 1000 unsat 


2.90 


8.58 


1.60 


1.06 


1 (12) 


CH-150-90-1000 unsat 


2.39 


4.01 


1.36 


1.03 


1 (36) 


CH-150-90-2000 unsat 


2.75 


6.16 


1.49 


1.05 


1 (53) 


VC-50000 sat 


1.57 


1.55 


1.06 


1 


1 (77) 


VC-50000 unsat 


2.90 


2.97 


1.08 


1 


1 (39) 



Table [I] provides normalized average CPU time for all the algorithms consid- 
ered in this paper, on a number of typical problem sets. The data shows, first, 
that there are clear differences in performance between APT-SCC-1 and APT- 
SCC-2, but neither dominates. Second, BinSatSCC algorithms are much faster 
than APT-SCC algorithms, often by a factor of 2 or more. BinSatSCC-1 clearly 
dominates on satisfiable problems, but may incur a significant overhead with 
respect to BinSatSCC-2 on unsatisfiable ones, where the latter behaves exactly 
as BinSat. Finally, of course, BinSat is faster than BinSatSCC. 

Table | 2 ] compares the algorithms in terms of their simplifying power, mea- 
sured by the number of literals that can be eliminated by each algorithm. We 
count the entailed literals and all but one literal from each SCC. Obviously, 
both versions of APT-SCC yield the same result here, and the same applies to 
BinSatSCC. We consider satisfiable instances only, since otherwise simplifica- 
tion is useless. We can see that, as expected, BinSatSCC can simplify theories 
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much more than either BinSat or APT-SCC alone. (Note that the value for Bin- 
SatSCC is not the sum of the other two values because APT-SCC sometimes 
finds SCCs which in fact are entailed) . We also found that BinSat typically finds 
25-50% of the total entailed literals, which is good but leaves significant room 
for improvement. 



Table 2. Average number of eliminated literals, normalized for BinSat = 1. The 
numbers in parenthesis are the actual average number of eliminated literals for BinSat. 



Problem 


APT-SCC 


BinSatSCC 


BinSat 


R- 100000- 100000 sat 


0.08 


1.06 


1 (671) 


R- 100000- 100000 forced 


0.33 


1.33 


1 (1) 


R- 100000-200000 forced 


1.13 


1.68 


1 (18146) 


CH-100-140-1000 forced 


0.75 


1.61 


1 (4028) 


CH-150-90-1000 sat 


0.95 


1.93 


1 (267) 


CH-150-90-1000 forced 


1.22 


2.20 


1 (134) 


CH-150-90-2000 forced 


1.29 


2.27 


1 (229) 


CH-200-120-1000 sat 


0.91 


1.89 


1 (292) 


VC-50000 sat 


0 


1 


1 (49999) 



Though it’s out of the scope of this paper, we remark that on all these 
problems, the original unit resolution algorithm of Even et al. HD] is generally 
around 20-40% slower than BinSat (and that only after careful tuning), and thus 
better than either APT-SCC algorithm on most problem classes; but it can also 
be orders of magnitude worse, for example in the VC examples. It also detects 
fewer entailed literals than BinSat, roughly around 50-70%. 

One final methodological point. Our conclusions are supported by controlled 
experiments of the studied algorithms for binary simplification on purely binary 
theories, even though our stated goal is helping to solve general SAT problems. 
Because of their consistency and regularity, we do expect our conclusions on 
performance rankings for various binary clause algorithms to carry over to the 
general case. Furthermore, we believe this is the right methodological choice, as 
opposed to testing the various algorithms within a general solver first off. The 
latter choice would raise more questions as to the generality of its findings, as 
trying to add binary simplification to a general SAT solver introduces too many 
uncontrolled variables in the experiments which may affect our ability to estimate 
accurately the benefit/cost ratio of binary clause reasoning in isolation from 
other factors such as its interaction with heuristics, backjumping, and learning. 

7 Conclusion 

We presented new hybrid algorithms for simplification of binary propositional 
theories, which combine the more advanced unit resolution algorithm for 2SAT 
with more efficient identification of sets of mutually equivalent literals (SCCs) 
than previous algorithms. We also demonstrated empirically the advantages of 
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the new algorithms. BinSatSCC is a step forward toward efficient binary clause 
reasoning with less overhead, so that its pruning power can be used during search 
in general SAT problems. 
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Abstract. Recently, several approaches to updating knowledge bases modeled 
as extended logic programs (ELPs) have been introduced, ranging from basic 
methods to incorporate (sequences of) sets of rules into a logic program, to more 
elaborate methods which use an update policy for specifying how updates must be 
incorporated. In this paper, we introduce a framework for reasoning about evolving 
knowledge bases, which are represented as ELPs and maintained by an update 
policy. We describe a formal model which captures various update approaches, 
and define a logical language for expressing properties of evolving knowledge 
bases. We further investigate the semantical properties of knowledge states with 
respect to reasoning. In particular, we describe finitary characterizations of the 
evolution, and derive complexity results for our framework. 



1 Introduction 

Updating knowledge bases is an important issue in the area of data and knowledge 
representation. While this issue has been studied extensively in the context of classical 
knowledge bases 111 KI1 1 L attention to it in the area of nonmonotonic knowledge bases, in 
particular in logic programming, is more recent. Various approaches to evaluating logic 
programs in the light of new information have been presented, cf. (T]. The proposals 
range from basic methods to incorporate an update U, given by a set of rules, or a 
sequence (7i, . . . , C/„ of such updates into a (nonmonotonic) logic program P 1112111111 
15], to more general methods which use an update policy to specify, by means of update 
actions, how the updates Ui, . . . ,Un should be incorporated into the current state of 
knowledge H7I2I8H . Using these approaches, queries to the knowledge base, like “is a 
fact / true in P after updates Ui, , UrJ”, can then be evaluated. 

Notably, the formulation of such queries is treated on an ad-hoc basis, and more in- 
volved queries such as “is a fact / true in P after updates U\, . . . ,Un and possibly further 
updates?” are not considered. More generally, reasoning about an evolving knowledge 
base KB, maintained using an update policy, is not formally addressed. However, it 
is desirable to know about properties of the contents of the evolving knowledge base, 
which also can be made part of a specification for an update policy. For example, it may 
be important to know that a fact a is always true in KB, or that a fact b is never true in 
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KB. Analogous issues, called maintenance and avoidance, have been recently studied 
in the agent community ll20l . Other properties may involve temporal relationships such 
as if message J. 0 {tom) is true in KB at some point, meaning that a message should be 
sent to Tom, then sent .message J.o{tom) will become true in the evolving KB at some 
point, representing that a message to Tom was sent. 

In this paper, we aim at a framework for expressing reasoning problems over evolving 
knowledge bases, which are modeled as extended logic programs fTTlI and possibly 
maintained by an update policy as described above. In particular, we are interested 
in a logical language for expressing properties of the evolving knowledge base, whose 
sentences can be evaluated using a clear-cut formal semantics. The framework should, on 
the one hand, be general enough to capture different approaches to incorporating updates 
Ui, ... ,Un into a logic program P and, on the other hand, pay attention to the specific 
nature of the problem. Furthermore, it should be possible to evaluate a formula, which 
specifies a desired evolution behavior, across different realizations of update policies 
based on different grounds. 

The main contributions of this paper are summarized as follows. 

(1) We introduce a formal model in which various approaches for updating extended 
logic programs can be expressed (Section|3ll. In particular, we introduce the concept of an 
evolution frame, which is a structure EF = {A, EC, AC, U, p, Bel) whose components 
serve to describe the evolution of knowledge states. Informally, a knowledge state s = 
{KB\ El, ... , En) consists of an initial knowledge base KB, given by an extended logic 
program over an alphabet A, and a sequence Ei, . . . , En of events, which are sets of 
rules Ei, drawn from a class of possible events EC, that are communicated to an agent 
maintaining the knowledge base. The agent reacts on an event by adapting its belief 
set through the update policy II, which singles out update actions A C AC from a set 
of possible update actions AC for application. These update actions are executed, at a 
physical level, by compilation, using a function p into a single logic program P, or, 
more generally, into a sequence (Pi, . . . , P„) of logic programs, denoted comp ^p{s). 
The semantics of the knowledge state s, its belief set, Bel{s), is given by the belief set 
of the compiled knowledge state, and is obtained by applying a belief operator Bel{-) 
for (sequences of) logic programs to comppp{s). Suitable choices of EF allow one to 
model different settings of logic program updates, such as 11117113161 . 

(2) We define the syntax and, based on evolution frames, the semantics of a logical 
language for reasoning about evolving knowledge bases (Section 0), which employs 
linear and branching-time operators familiar from Computational Tree Logic (CTL) 0. 
Using this language, properties of an evolving knowledge base can be formally stated and 
evaluated in a systematic fashion, rather than ad hoc. For example, the above maintenance 
and avoidance problems can be expressed by formulas AG a and AG~'b, respectively. 

(3) We investigate semantical properties of knowledge states for reasoning (Sec- 
tion H. In particular, since in principle a knowledge base may evolve forever, we are 
concerned with finitary characterizations of evolution. To this end, we introduce various 
notions of equivalence between knowledge states, and show several filtration results. 

(4) We derive complexity results for reasoning (Section^. Namely, given an evolu- 
tion frame EF, a knowledge state s, and a formula (p, does EF, s\= p hold? While this 
problem is undecidable in general, we single out meaningful conditions under which the 
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problem has 2-EXPSPACE, EXPSPACE, and PSPACE complexity, respectively, and ap- 
ply this to the EPI framework under the answer set semantics ||8l, showing that its proposi- 
tional fragment has PSPACE-complexity. We also consider the complexity of sequences 
of extended logic programs (ELPs). We show that deciding whether two sequences 
P — {Pi, . . . , Pn) and Q — {Qi,. . . , Qm) of propositional ELPs are strongly equiv- 
alent under update answer set semantics, i.e., for every sequence R — {Ri, . . . ,Rk), 
k > 0, the concatenated sequences P + R and Q + R have the same belief sets, is coNP- 
complete. This is not immediate, since potentially infinitely many P+R and Q + R need 
to be checked. 

By expressing various approaches in our framework, we obtain a formal semantics for 
reasoning problems in them. Furthermore, results about properties of these approaches 
(e.g., complexity results) may be concluded from the formalism by this embedding, as 
we illustrate for the EPI framework. 

2 Preliminaries 

We consider knowledge bases represented as extended logic programs (ELPs) na, 
which are finite sets of rules built over a first-order alphabet A using default negation 
not and strong negation A rule has the form 

T . Z/Q i Li, , Ljyi , not Ljfi.^ 1 , . . . , not , (1) 

where each Li is a literal of form A or -lA, where A is an atom over A. The set of 
all rules is denoted by Cji- We call Lq the head of r (denoted by H{r)), and the set 
{Li, . . . , Lm, not Ljn+i, ■ . ■ , not Ln} the body of r (denoted by B{r)). We allow the 
case where Lq is absent from r; such a rule r is called a constraint. If B{r) = 0, then r 
is called /act. We often write Lq for a fact r = Lg ■<— . Further extensions, e.g., not in 
the rule head Gl, might be added to fit other frameworks. 

An update program, P, is a sequence (Pi , . . . , Pn) of ELPs (n > 1), representing the 
evolution of program Pi in the light of new rules P 2 , . ■ . , Pn- The semantics of update 
programs can abstractly be described as a mapping Bel{-), which associates with every 
sequence P a set Bel{P) C of rules, intuitively viewed as the consequences of P. 
Bel{-) may be instantiated in terms of various proposals for update semantics, like, e.g., 
the approaches described in 111121113161171 . 

For a concrete example, we consider the answer set semantics for propositional up- 
date programs introduced in 16171 . which defines answer sets of P = (Pi, . . . ,Pn) 
in terms of answers sets of a single ELP P as follows. An interpretation, S, is a 
set of classical literals containing no opposite literals A and ->A. The rejection set, 
Rej{S,P), of P with respect to an interpretation S is Rej{S,P) = Ur=i 
where Rej^{S,P) = 0, and, for n > * > 1, Reji{S,P) contains every rule r G Pi 
such that H{r') = ->H{r) and S |= B{r) U B{r'), for some r' G Pj \ Rej j{S,P) with 
j > i. That is, Rej {S, P) contains the rules in P which are rejected by unrejected rules 
from later updates. Then, an interpretation S is an answer set ofP= (Pi , . . . , P„) iff 
S' is a consistent answer set ifT^ of the program P = Ui T) \ Rej (S, P) . The set of all 
answer sets of P is denoted by AS{P). This definition properly generalizes consistent 
answer sets from single ELPs to sequences of ELPs. Update answer sets for arbitrary 
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(non-ground) update programs P are defined in terms of their ground instances similar 
to the case of answer sets for ELPs E2. 

Example 1. Let Pq = {b ^ not a, a Pi = {-lO c -s— }, and P 2 = {-'C ^}. 
Then, Pg has the single answer set Sq = {a} with Rej{So,Po) = 0; (Po^Pi) has as 
answer set S\ = {-lO, c, b} with Rej{Si, (Pg, Pi)) = {a ^ }; and (Pg, Pi, P2) has the 
unique answer set S 2 = {“•a, -ic, b} with Rej {S 2 , (Po, Pi, P2)) = {c ■<— , a ^}. 

The belief operator BelE{-) in the framework of (jS) is given by BelE{P) = {r G 
P-A I 5' H ^ for ^ £ ,A5(P)}, where S' |= r means that for each ground instance r' 
of r, either P(r') G S, or L^S for some L G B{r'), or Lg S for some not L G B(r'). 



3 Knowledge-Base Evolution 

We start with the basic formal notions of an event and of the knowledge state of an agent 
maintaining a knowledge base. 

Definition 1. Let A be some alphabet. An event class over A {or simply event class, 
if no ambiguity arises) is a collection £C C 2^-^ of finite sets of rules. The members 
E G £C are called events. 

Informally, £C describes the possible events (i.e., sets of communicated rules) an 
agent may experience. In the most general case, an event is an arbitrary ELP; in a simpler 
setting, an event may just be a set facts. In a deductive database setting, the latter case 
corresponds to an extensional database undergoing change while the intensional part of 
the database remains fixed. 

Definition 2. Let £C be an event class over some alphabet A. A knowledge state over 
£C {simply, a knowledge state) is a tuple s = {KB] Pi, ... , Ef), where KB C is 
an ELP {called initial knowledge base) and each Ei {1 < i < n) is an event from £C. 
The length of s, denoted |s|, is n. 

Intuitively, s = {KB; Pi, ... , P„) captures the agent’s knowledge, starting from its 
initial knowledge base. When a new event P„+i occurs, the current knowledge state s 
changes to s' = {KB; Pi, ... , P„, P„+i), and the agent is required to adapt its belief 
set in accordance with the new event by obeying its given update policy. 

The “universe” in which the evolution of an agent’s knowledge base takes place is 
given by the following concept: 

Definition 3. An evolution frame is a tuple EF = {A, £C,AC, II, p, Bel), where 

- A is a finite (first-order) alphabet; 

- £C is an event class over A; 

- AC is a set of update commands {or actions),' 

- n is an update policy, which is a function mapping every knowledge state s over 
£C and an event E G £C into a set II {s, E) C AC of update commands; 
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- p is a mapping, called realization assignment, which assigns to each knowledge 
state s over £C and each set A C AC of update commands a sequence p{s, A) = 
(Pq) ■ • • ) Pn) ofELPs Pi C Cjx (1 < z < n); and 

— Bel is a belief operator for sequences ofELPs. 

The set of all knowledge states determined by EF is denoted by Sef- 

The components of an evolution frame allow us to model various update approaches, 
as we discuss later on. 

We already mentioned above that different event classes EC might be conceived. 
Simple, elementary update commands are inserter) and delete{r), which add and re- 
move a rule to a logic program, respectively, without a sophisticated semantics handling 
potential inconsistencies (which may be delegated to the underlying update semantics). 
More involved update commands have been proposed in the literature (cf., e.g., ll21Sln . 
However, several update frameworks can be modeled using these simple commands. 

Update policies II allow for specifying sensible and flexible ways to react upon 
incoming events. A very simple policy is IIins{s, E) = {insert{r) \ r G E}; it models 
an agent which incorporates the new information unconditionally. More sophisticated 
policies may define exceptions for the incorporation of rules from events, or the insertion 
of rules may be conditioned on the belief in other rules. 

While n determines what to do, the realization assignment p states how this should 
be done. Informally, p(s, A) “executes” actions A on the knowledge state s by producing 
a logic program P or, more generally, a sequence P of logic programs. We can use p to 
“compile” a knowledge state s into a (sequence of) logic programs, by determining the 
set of actions A from the last event in s. We introduce the following notation. 

For any knowledge state s = {KB; Ei, . . . , Ef) over £C, denote by TTi{s) = 
{KB; El, . . . , Ei) its projection to the first i events, for 0 < z < n. We call TTi{s) a 
previous knowledge state (or simply an ancestor) of s if z < rz. Dually, each knowledge 
state s' over £C is a future knowledge state (or simply a descendant) of s if s is previous 
to s' . Furthermore, 7r„_i(s) is the predecessor of s, and s' is a successor of s if s is 
predecessor of s'. Finally, for events E'l, ... , E'^^, we write s + E'l, . . . , E!^ to denote 
the concatenated knowledge state {KB; Ei, . . . , E^, E'l, . . . , E'^) (a similar notation 
applies to the concatenation of sequences of logic programs). 

Definition 4. Let EE = {A, £C, AC, U, p, Bel) be an evolution frame. For any knowl- 
edge state s = {KB; Ei, . . . , En) over £C, the compilation associated with s is 



This definition of compilation is fairly general. It first computes the actions for the 
latest event En, and then requires that these actions are executed on the predecessor 
state. Observe that, in view of comp ^p{s), we could equally well model update policies 
as unary functions 77(-) such that 7I(s) = II{TTn-i{s), En). However, we chose binary 
update policies to stress the importance of the last event in s. 

An important class of compilations are those in which comp(s') for a future knowl- 
edge state s' results by appending some further elements to the sequence comp{s) of 
logic programs for the current knowledge state s. This motivates the following notion: 
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Definitions. Given an evolution frame EF = {A,£C,AC, II, p, Bel), comp is 
incremental iff, for each s = {KB; E\, . . . , En), comp pp{s) = {Pq, . . . , Pn) such that 
p{{KB),%) = Po and p{Tti^i{s),n{TTi_i{s),Ei)) = (Pq, . . .,Pi)for 1 < i < n. 

This amounts to the expected meaning: 

Proposition 1. The mapping comp pp{-) is incremental iff, for each knowledge state s, 
comppp{s) = Q if\s\ = 0 , and comp pp{s) = comp pp{TT\s\_i{s)) + Q otherwise, 
where Q is a logic program and “+” is the concatenation of sequences. 

A simple, incremental compilation results for .AC ins = {insert{r) \ r G = 

Bins as defined above, and pi„s such that comp pp{{KB)) = KB and comp pp{s) = 
comp^^(7T|s|-i(s)) + ({r I insert{r) G A}). Note that comp pp ((KB; Ei, En}) 
is in this setting just the sequence (KB, Pi, , En). 

While incremental compilations are natural, we stress that others are of course also 
relevant. In particular, the compilation might perform optimizations (cf. Section lS^ . or 
output only an ordinary logic program. 

Finally, the belief set emerging from a knowledge state is as follows: 

Definition 6. Let EF — (.4, £C, AC, II, p, Bel) be an evolution frame and s a knowl- 
edge state. The belief set of s, denoted Bel(s), is given by Bel(comp pp(s)). 

Remarks. Our definition of an update policy and of a realization assignment, which 
effectively lead to the notion of a compilation, is quite general. We may stipulate addi- 
tional postulates upon them, like the incrementability property or an iterativity property 
(which me omit here), and similar on Pe^-). 

Our definition does not capture nondeterministic update policies, where II(s,E) 
may return one out of several possible sets of update actions. Accordingly, the notion 
of a knowledge state can be extended by taking previous actions into account, i.e., a 
knowledge state s is then of the form {KB, (Pi, Ai), . . . , (P„, A„)), where each Ei is 
an event, and Ai is the set of update commands executed at step i. In practice, we may 
assume a suitable selection function a, which chooses one of the possible outcomes of 
n(s,E), and we are back to a deterministic update policy II If the selection function 
a is unknown, we may consider all evolution frames PP^ arising for each cr. 

Example 2. Consider a rather simple mailing agent, which has the following initial 
knowledge base KB, whose rules are instantiated over suitable variable domains: 



n: 


type(M, private) 


•«— from(M , tom); 


r2. 


type{M , business) 


■4— subject(M , project); 


r3- 


type(M , other) 


4— not type(M , private), not type(M, business), msg(M); 


n: 


trash) M) 


4— remove(M), not save(M); 


rs- 


remove(M) 


4— date{M, T), today(T'), not save (M),T' > (T -|- 30 ); 


re- 


found(M) 


4— search(T) , type(M , T), not trash(M); 


r?: 


success 


4— found(M); 


rg. 


failure 


4— search(T), not success. 



The knowledge base contains rules about classifying message types (ri-ra), trash 
and removal of mails (r^, rs), and further rules (re-rg) to determine success or failure 
of a search for messages of a particular type. An event P might consist in this setting of 
one or more of the following items: 



Reasoning about Evolving Nonmonotonic Knowledge Bases 413 



- at most one fact today (d), for some date d\ 

- a fact empty Arash, which causes messages in the trash to be eliminated; 

- facts save{m) or remove{m), for mail identifiers m; 

- at most one fact search{t), for some mail type t G {other, business , private}; 

- zero or more sets of facts from{m, n), subject{m, s), or date{m, d) for mail iden- 

tiher to, name n, subject s, and date d. 

The update policy U may be as follows: 

n{s, E) = {insert{R) \ R G E} U {insert{msg{M)) \ from{M, N) G E} 

U [delete{today{D)) \ today(D') £ E,today{D) £ Bel{s)} 

U {delete(a) \ a £ {trash{M),msg{M),type{M , T)}, 
empty _trash £ E, trash{M) £ Bel{s)} 

U {delete{a) \ a £ {from{M , N), subject{M , S), date{M , D)}, 

save{M) ^ Bel{s),msg{M) £ Bel{s),remove{M) £ E} 

U {delete{a) \ aG Bel{s) D {search{T),found{T), success, 

failure, empty Brash} } 

This update policy (which does not respect possible conflicts of save and remove), 
intuitively adds all incoming information, plus a fact msg{M) for each incoming mail 
to the knowledge base. The current date is maintained by deleting the old date. As well, 
all old information from a previous event, relative to a search or to the trash, is removed. 
If an event contains empty Brash, then all messages in the trash are eliminated. 

Capturing frameworks for knowledge evolution. Finally, we briefly discuss how 
existing frameworks for updating nonmonotonic knowledge bases can be captured in 
terms of evolution frames. This is possible at two different levels: 

(1) At an “immediate update” level, frameworks for updating logic programs can be 
considered, where each event is an update program, and the update policy is the (implicit) 
way in which update programs and the current knowledge are combined, depending on 
the semantics of updates of each approach. For example, the formalisms of update pro- 
grams II6I7II . dynamic logic programming (H, revision programming mm, abductive 
theory updates ca , and updates through prioritized logic programs (PLPs) ED fall into 
this category. 

(2) At a higher level, frameworks can be considered which allow for specifying an 
explicit update policy in some specification language, and which offer a greater flexibility 
in the handling of updates. Examples of such frameworks are EPI fS), LUPS El> and, 
while not directly given in these terms, WC d. 

For illustration, we consider update programs i] and the EPI framework for update 
policies. Update programs are captured by the following evolution frame: 

EF ^ = {A.,8Cj\,,ACins, nins 1 Pins : BcIe), 

where £C_a is the collection of all ELPs over A, and Bels ts the belief operator defined 
in SectionEl The EPI framework corresponds to the evolution frame 



where 



EF^P\ — {A,£C,ACEp\,n£p\,ppp\,BelE), 
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- ACep\ = {assert(r), retract(r), always(r), cancel(r), 

assert_event(r), retract_event(r), always_event(r) | r G Ca\ 
and the commands have the meaning as in || 8 l ; 

- ^EPi is defined by any set of update statements in the language EPI, which are 
evaluated through a logic program as defined in (Bl; 

- Pepi realizes the translation tr{KB\ Ui, . . . ,Un) from JS], which compiles the initial 

knowledge base KB and the sets of update commands f/i, in response to 

the events Ei, . . . , En in s = {KB, Ei, . . . , En), into a sequence {Pq, . . . , Pn) of 
ELPs. The resulting compilation comp^p^ is incremental. 

Furthermore, the following formalisms can be expressed in a similar fashion: dy- 
namic logic programming [U (by allowing not in rule heads), LUPS El, abductive 
theory updates 111 .^1 . and program updates by means of PLPs 1121 1 . Thus, several well- 
known approaches to updating logic programs can be modeled by evolution frames. 

4 Reasoning about Knowledge-Base Evolution 

We now introduce our logical language for expressing properties of evolving knowledge 
bases. The primitive logical operators of the language are: (i) the Boolean connectives 
A (“and”) and -> (“not”); (ii) the evolution quantifiers A (“for all futures”) and E (“for 
some future”); and (iii) the linear temporal operators X (“next time”) and U (“until”). 

Atomic formulas are identified with rules in CXi composite formulas are either state 
formulas or evolution formulas, defined as follows: 

1 . Each atomic formula is a state formula. 

2. If (fi, ip are state formulas, then tp Aft and -up are state formulas. 

3. If is an evolution formula, then Etp and kp are state formulas. 

4. If ip, ip are state formulas, then Xp and pdf’ are evolution formulas. 

Further Boolean connectives V (“or”), D (“implies”), and = (“equivalence”) are 
dehned in the usual manner. As well, we use Vp = TUtp (“finally </>”), where T stands 
for any tautology, AG<p = -■EF-i(^, and EG0 = (“globally f’)- 

Next, we define the semantics of such formulas with respect to a given evolution 
frame EF = {A, EC, AC, II, p, Bel). To this end, we introduce the following notation: 
A sequence p = (si)i>o of knowledge states over £C is called a path iff each Si 
{i > 0) is a successor of Si_i. We denote by pi the state at position i in p, i.e., pi = Si. 

Definition 7. Let EF = {A, £C, AC, U, p, Bel) be an evolution frame, s a knowledge 
state over £C, and p a path. The relation ^ is recursively defined as follows: 

1. EF , s ^ r iffr G Bel{s), for any atomic formula r; 

2. EF, s \= Pi k p 2 iff EF, s ^ and EF, s \= p 2 ,' 

3. EF, s ^ -199 iffEF, s ^ p; 

4. EF, s ^ E (/9 iff EF ,p' ^ p, for some pathp' starting at s; 

5. EF, s ^ kp iff EF ,p' ^ p, for each path p' starting at s; 

6. EF,p 1= Xp iffEF,pi 1= p; 

7. EF,p 1= pi\)p 2 iff EF,pi ^ p 2 for some i > 0 and EF,pj |= piforall j < i. 
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If EF,s ^ (fi holds, then knowledge state s is said to satisfy formula ip in the 
evolution frame EF (or is a consequence of s in the evolution frame EE). 

Notice that any evolution frame EF induces an infinite transition graph which 
amounts to a standard Kripke structure Kef = {S,R,L), where S — Sef is the 
set of knowledge states, R is the successor relation between knowledge states, and L 
labels each state s with Bd{S), such that s satishes p in EF iff Kef, s \= p (where \= 
is dehned in the usual way). 

Example 3. In order to see whether the mailing agent in Example works properly, 
we may consider the following properties. For convenience, we allow in formulas non- 
ground rules as atoms, which stand for the conjunction of all ground instances which is 
assumed to be hnite. Recall that we identify facts with literals. 

1. There can never be two current dates: 

AG{{today(D) A today {D')) Z) D = D'). (2) 

2. The type of a message cannot change: 

AG{type{M,T) D ^Ef{type{M,T') A TfT')). (3) 

3. A message is not trashed until it is either deleted or saved: 

AG{msg{m) D AG{-^trash{rn)\){delete{rn) V save{m))) . (4) 

While the initial KB satishes formulas O and (|T]i in the respective EPI evolution frame 
EF EPI, it is easily seen that it does not satisfy formula ©. 

5 Knowledge-State Equivalence 

While syntactically different, it may happen that knowledge states s and s' are se- 
mantically equivalent in an evolution frame, i.e., s and s' may have the same set of 
consequences for the current and all future events. We now consider how such equiva- 
lences can be exploited to hltrate a given evolution frame EF such that, under suitable 
conditions, we can decide EF, s ^ in a hnite structure extracted from the associated 
Kripke structure Kef- We start with the following notions of equivalence. 

Deflnition 8. Let EF — {A, £C, AC, U, p, Bel) be an evolution frame and k > 0 some 
integer. Furthermore, let s, s' be knowledge states over £C. Then, 

1. s and s' are fc-equivalent in EF, denoted s =%e if Bd{s + Ei, ... , Ej.i) = 
Bel{s' + E\, ... , Ek'), for all events E\, ... , Ej.' from £C and all k' < k; 

2. s and s' are strongly equivalent in EF, denoted s =ef s', iff s =%e s' for every 
k>0. 

We call 0-equivalent states also weakly equivalent. The following result is obvious. 

Theorem 1. Let EF = {A, £C,AC, B, p, Bel) be an evolution frame and s, s' knowl- 
edge states over £C. Then, 
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7. s =ef s' implies that EF , s |= w equivalent to EF, s' |= p, for any formula p; 

2. s =%F s' implies that EF, s \= <p is equivalent to EF, s' ^ (p, for any formula (p 
in which U does not occur and the nesting depth w.r.t. E and A is at most k. 

Due to Part 1 of Theorem [H strong equivalence can be used to filtrate an evolution 
frame EF in the following way. For an equivalence relation E over some set X, and any 
X G X,\ei[x]E = {y I {x,y) G 75} be the equivalence class of x and let X/Fl = {[x\e \ 
X G X} be the set of all equivalence classes. Furthermore, E is said to have a finite index 
{with respect to X) iff X/E is finite. Then, any equivalence relation E over some set 
S Q See of knowledge states of EF compatible with = ef (i-C-, such that s E s' implies 
s =ef s', for all s, s' G S) induces a Kripke structure K^p = {S/E, Re,Le), where 
[s]e Re iff s Rs' and L^;([s]£;) = L{s), which is bisimilar to the Kripke structure 
Kef restricted to the knowledge states in S. Thus, for every knowledge state s and 
formula p, it holds that EF, s |= iff Kpp, [s]^; ^ (j>, for any S C Sef such that S 
contains all descendants of s. 

In the following, we consider two cases in which S/E has hnite index. 



5.1 Local Belief Operators 

In the first case, we consider itself as a relation compatible with strong equivalence. 

We obtain a hnite index if, intuitively, the belief set Bel{s) associated with s evolves 
differently only in a bounded context. We have the following result. 

Theorem 2. Let EF = {A, £C, AC, II, p, Bel) be an evolution frame such that £C is 
finite, and let S Q Sef be some set of knowledge states over £C. Then, the following 
two conditions are equivalent: 

(a) = ef has a finite index with respect to S. 

(b) =^ef a finite index with respect to S and there is some k > 0 such that s =%p 
implies s =ef s', for all s, s' G S. 

Moreover, in case (a), there is some k > 0 such that \S/ =ef\ < > where 

d = [S'/ ='g^|. 



The condition that =%f ^ hnite index, i.e., such that only hnitely many knowledge 

states s have different belief sets, is, e.g., satished by common belief operators if every 
s is compiled to a sequence comp pp{s) of ELPs over a hnite set of function-free atoms 
(in particular, if .A is a hnite propositional alphabet). 

By taking natural properties of Belf) and compEFi') into account, we can derive 
an alternative version of Theorem |2] To this end, we introduce the following notation. 

Given a belief operator Belf), we call update programs P and P' k-equivalent, 
if Bel{P + {Qi, . . .,Qk)) = Bel{P' + {Qi, . . ■ ,Qk)), for every ELPs Qi,...,Qi 
(0 < 7 < k). Likewise, P and P' are strongly equivalent, if they are fc-equivalent for 
all k > 0. We say that Bel{-) is k-local, if fc-equivalence of P and P' implies strong 
equivalence ofP andP', for any update programs P and/*'. Eurthermore, Belf) is local, 
if Belf) is fc-local for some k >0. We obtain the following result: 
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Theorem 3. Let EF = {A, £C , AC , II , p, Bel) be an evolution frame such that EC 
is finite and =%p has a finite index with respect to S C Sef- If Bd{-) is local and 
compppf) is incremental, then =pp has a finite index with respect to S. 

As an application of this result, we show that certain EPI evolution frames have a 
finite index. Recall that Belpi') is the belief operator of the answer set semantics of 
update programs f7], as described in Section 0 We can show the following result: 

Theorem 4. Belp is local. In particular, 1-equivalence of update programs P and P' 
implies k-equivalence ofP and P' , for all k > 1. 

The proof is by induction and appeals to the rejection mechanism of the semantics. 
Furthermore, in any EPI evolution frame EF = {A, £C, AC£p\, flEPi, Pepi, Belp), the 
update policy TTepi is, informally, given by a logic program such that TIepi returns a set 
of update actions from a finite set Aq of update actions, which are compiled to rules 
from a finite set Rq of rules, provided £C is finite. Consequently, =%p has finite index 
with respect to any set S of knowledge states s which coincide on 7 To(s), i.e. the initial 
knowledge base KB. Furthermore, comp^pf-) is incremental. Thus, we obtain: 

Corollary 1. Let EF — {A,£C,ACEp\,IIpp\,ppp\,BelE) be an EPI evolution frame 
such that £C is finite, and let S C See be a set of knowledge states such that {ttq{s) \ s G 
S'} is finite. Then, =ef has a finite index with respect to S. Moreover, |S/ =ef\ < 
where d = |S/ =^^1. 

5.2 Contracting Belief Operators 

Next, we discuss a refinement of strong equivalence, called canonical equivalence, which 
also yields a finite index, providing the evolution frame possesses, in some sense, only a 
“bounded history”. In contradistinction to the previous case, canonical equivalence uses 
semantical properties which allow for a syntactic simplification of update programs. We 
need the following notions. 

Definition 9. Let Belf) be a belief operator. Then, Belf) is called contracting iff 
the following conditions hold: (i) Bel{P + 0 + P') = Bel{P + P'), for all update 
programs P and P' ; and (ii) BelfP) = Bel{Po , . . . , Pi-i,Pi \ {r}, Pi+i, . . . , Pn),for 
any sequence P — (Pq, . . . , Pn) and any rule r G Pi C\ Pj such that i < j. An evolution 
frame EF = {A, £C, AC, U, p, Bel) is contracting iff Belf) is contracting. 

Examples of contracting belief operators are Belpi') the analogous operator 
from [Q]. By repeatedly removing duplicate rules r and empty programs Pi from any 
sequence P = {Pq, . . . , Pn) of ELPs, we eventually obtain a non-reducible sequence 
P* = (P*, . . . , Pj^), which is called the canonicflZ/orm of P. Observe that m < n always 
holds, and that P* is uniquely determined, i.e., the reduction process is Church-Rosser. 
We get the following property: 

Theorem 5. For any contracting belief operator Belf) and any update sequence P, we 
have that P and P* are strongly equivalent. 
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Let us call knowledge states s and s' in an evolution frame EF canonically equivalent, 
denoted s ='ef iff are strongly equivalent in the canonized evolution frame EF*, 

which results from EF by replacing comp Fp{s) with its canonical form comp pp{s)* 
(i.e., comppp, (s) = comp pp{s)*). We note the following property. 

Theorem 6 . Let EF be a contracting evolution frame. Then, EF, s ^ (pijfEF* , s\= (p, 
for any knowledge state s and any formula ip. Furthermore, ='^p is compatible with 
=EF for any S C Spp, i.e., s s' implies s =ef s' , for every s, s' S S. 

As a result, we may use for filtration of EF, based on the following concept. 

Definition 10. Let EF = {A, £C, AC, LI, p, Bel) be an evolution frame and c > 0 an 
integer. We say that EF is c-bounded iff there are functions a, f, and g such that 

1. a is a function mapping knowledge states into sets of events such that, for each 
s = {KB; El, ... , En), a(s) = {En-c'+i, • ■ ■ , Ef), where d = min(n, c); and 

2. LI{s, E) = f{Bel{s), a(s), E) and p{s, A) = g{Bel{s), 0 !(s), A), for each knowl- 
edge state s £ Sef< each event E £ £C, and each A C AC. 

This means that, in a c-bounded evolution frame, the compilation comp ef{s) de- 
pends only on the belief set of the predecessor s' of s and the latest c events in s. 

Theorem 7. Let EF = {A, £C, AC, II, p, Bel) be an evolution frame where £C is finite, 
and let S C Sef- If (i) EF is contracting, (ii) there is some finite set Rq C £_4 such 
that comp pp{s) C Rq, for any s G S, and (Hi) EF is c-bounded, for some c > 0, then 
= has a finite index with respect to S. 



6 Complexity 

In this section, we study the computational complexity of the following reasoning task: 

TempEvo: Given an evolution frame EF — {A, £C, AC, LI, p, Bel), a knowledge state 
s over £C, and some formula p, does EF, s ^ hold? 

In order to obtain decidability results, we assume that the constituents of the evolution 
frame EF in TempEvo are all computable. More specifically, we assume that (i) £C, AC, 
and Bel are given as computable functions deciding E £ £C, a £ AC, and r £ Bel{P), 
and (ii) II and p are given as computable functions. Nonetheless, even under these 
stipulations, it is easy to see that TempEvo is undecidable. 

The results of Section|5]provide a basis for characterizing some decidable cases. We 
consider here the following class of propositional evolution frames EF = {A, £C, AC, 
LI, p, Bel) (i.e., A is propositional). Call EF regular, if the following applies: 

1. the membership tests E G £C and r £ BelfP), as well as LI and p are computable 
in polynomial space (the latter with polynomial size output); e.g., the functions may 
be computable in the polynomial hierarchy; 

2. rules in compilations comp ef{s) and events E have size polynomial in the repre- 
sentation size of EF, denoted by \\EF\\ (i.e., repetition of the same literal in a rule 
is bounded), and events have size at most polynomial in ||i?E'||; 
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3. Bel{-) is model based, i.e., Bel{P) is determined by a set of fc-valued models, where 
k is small (typically, fc < 3 as for BelE{-))- 



The conditions 1 and 3 apply to the approaches in Illbl8llbll7ll3l21l . and condition 
2 is reasonable to impose; note that none of these semantics is sensible to repetitions of 
literals in rule bodies. 



Theorem 8. Deciding EF, s \= ip, given a regular propositional evolution frame EF = 
{A, £C, AC, 77, p, Bel), a knowledge state s, and a formula ip is 

1. 2-EXPSPACE-comp/ete, if Bel {■) is k-local for some k which is polynomial in 
||7?7^||, and comp is incremental; 

2. EXPSPACE-comp/efe, if EF is contracting and c-bounded, where c is polynomial 
in ||7?7^||; and 

3. PSPACE-complete, if EF is as in \2\ and, moreover, all rules in the compilations 
comp pp{s') of successors s' of s are from a set Rq of size polynomial in ||7?7^||. 

For the upper bounds of these results, we note that in the case where p has form Eip, 
only hnite paths of length at most [S'/ =ef\ must be considered for satisfying where 
S is the set of all future knowledge states of s. Part[T]of the theorem can then be shown 
by Theorem Q] using the estimation given in Theorem El Concerning Part El there are 
0 (f 2 }'''^^+\\EF\\ ^ _ 0{2'^ " ) many knowledge states s that are not strongly equiv- 

alent, for some constants I, m and m'\ each Bel{s) can be represented, using canonical 
update programs, together with the last c events, in single exponential space. Further- 
more, the representation of every successor state is computable in polynomial space in 
the input size. Hence, overall exponential space is sufficient. Finally, the additional con- 
dition in Part [3 of the theorem guarantees PSPACE complexity. The lower bounds can 
be shown by encoding Turing machine computations into particular evolution frames. 

Part|3]of TheoremOimplies that the propositional EPI framework has also PSPACE 
complexity. While here, in general, Bel{s) depends on all events in s, it is possible to re- 
strict ,ACepi to the commands assert and retract, by efficient coding techniques which 
store relevant history information in Bel{s), such that the compilation in comp^pfs) 
depends only on Bel{TTn-i{s)) and the last event En in s. Furthermore, the policy TTepi 
is sensible only to polynomially many rules in events, and compppfs) contains only 
rules from a fixed set Rq of rules, whose size is polynomial in the representation size of 
EF. Thus, we get the following corollary. 

Corollary 2. Let EF = {A,£C,ACep\,IIep\, pEP\,BelE) be a propositional EP\ evo- 
lution frame, let s be a knowledge state, and let p be a formula. Then, deciding EF, s \= p 
is in PSPACE. 



On the other hand, computations of a PSPACE Turing machine can be easily encoded 
in a propositional EPI evolution frame using a single event which models the clock. Thus, 
Corollary El has a matching lower bound. 

We conclude our complexity analysis with results concerning weak, strong, and 
fc-equivalence of two propositional update programs, respectively. 

Theorem 9. Deciding whether two given propositional update programs P and Q are 
weakly equivalent, i.e., satisfying BelE{P) = BcIe^Q), is coNP-complete. 
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Intuitively, the upper bound follows from the property that, for any propositional 
update programs P and Q, Bel{P) = Bel{Q) is equivalent to AS{P) = AS{Q). The 
matching lower bound follows easily from the coNP-completeness of deciding whether 
an ELP has no answer set (cf. 0). 

For deciding 1-equivalence, the following lemma is useful: 

Lemma 1. Let P and Q be propositional update programs. Then, P and Q are not 1- 
equivalent under Bel e iff there is an ELP P and a set S such that (i) S G AS{P + P) 
but S ^ AS{Q + P), or vice versa, (;/) is at most the number of atoms in P + Q plus 
\, and (Hi) |P| < jS”! + 1. Furthermore, P has polynomial size in the size ofP and Q. 

Intuitively, this holds since any answer set S' of P + P can be generated by at most 
|S| many rules. Furthermore, if S is not an answer set of g + P, by unfolding rules in 
P we may disregard for an S all but at most one atom which does not occur in P or Q. 
To generate a violation of S in g + P, an extra rule might be needed; this means that a 
P with |P| < |S| + 1 is sufficient. 

Theorem 10. Deciding strong equivalence {or k-equivalence, for any fixed k > 0) of 
two given propositional update programs P and Q is cdHP-complete. 

Proof. (Sketch) For k = 0, the result is given by Theorem|3 For fc > 1, the member- 
ship part follows from Lemma [H in virtue of Theorem 01 Hardness can be shown by 
constructing, given a propositional DNF suitable programs P and Q in polynomial 
time such that f is valid in classical logic iff P — (P) and g = (Q) are 1-equivalent. □ 

Note that Theorems 001 and Lemma [J make no finiteness assumption on the 
alphabet A. They also hold for ground update programs P and g in a first-order alphabet, 
where P in Lemma|T|is ground. 

7 Discussion and Conclusion 

We presented a general framework for reasoning about evolving logic programs, which 
can be applied to several approaches for updating logic programs in the literature. Since 
the semantics of evolution frames can be captured by Kripke structures, it is suggestive 
to transform reasoning problems on them into model checking problems [3|]. However, 
in current model checking systems, state transitions must be stated in a polynomial-time 
language, and descriptions of these Kripke structures would require exponential space 
also for evolution frames with PSPACE complexity (e.g., EPI evolution frames). Thus, 
extensions of model checking systems would be needed for fruitful usability. 

Lobo et al. introduced the VDC fT?il language for policies, which contain event- 
condition-action rules and serve for modeling reactive behavior on observations from 
an environment. While similar in spirit, their model is different, and HT^ focuses on 
detecting action conflicts (which, in our framework, is not an issue). In llT^ . reasoning 
tasks are considered which center around actions. Further related research is on planning, 
where certain reachability problems are PSPACE-complete (cf. 0). Similar results were 
obtained in (20ll for related agent design problems. However, in all these works, the 
problems considered are ad hoc, and no reasoning language is considered. 
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Fagin et al.’s [Hoi important work on knowledge in multi-agent systems addresses 
evolving knowledge, but mainly at an axiomatic level. Wooldridge’s lfl9ll logic for rea- 
soning about multi-agent systems embeds CTL* and has belief, desire and intention 
modalities. The underlying model is very broad, and aims at agent communication and 
cooperation. It remains to see how our particular framework fits into these approaches. 

Our ongoing work addresses these and further issues. Further meaningful properties 
of evolution frames would be interesting; e.g., iterativity of the compilation comp^p, 
i.e., the events are incorporated one at a time, or properties of the belief operator Bel. 
Other issues are algorithms and fragments of lower (especially, polynomial) complexity. 
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Abstract. In this paper we present a bottom-up algorithm for 
computing the well-founded model of general normal logic programs by 
means of range-restricted Datalog^ rules automatically generated from 
the source program. The drawback of repeated computation of facts from 
which Van Gelder’s alternating fixpoint procedure is suffering is avoided 
by using update propagation rules, generalizing the differential fixpoint 
computation well-known for stratifiable deductive databases. 



1 Introduction 

In the field of deductive databases, a considerable amount of research has been 
devoted to the efficient bottom-up evaluation of queries against the intensional 
part of a database (e.g. magic sets [2, counting |4], Alexander method [H]). 
Another branch of research has been dealing with the problem of efficient 
computation of induced changes by means of update propagation (e.g. mm 
I13|i. These results are particularly relevant for systems which will implement 
the new SQL99 standard and hence will allow the definition of recursive views. 
The intuitive semantics of function-free deductive rules without or with at least 
stratifiable negation is well understood by now. However, when unstratifiable 
negation is considered, the intended meaning becomes less clear and several 
proposals for a suitable semantics based on model theory have been made. The 
most established of these are the stable model semantics and the well-founded 
semantics, the latter one being preferred by many authors because of its 
unique model m- The reason for dealing with this general class of deductive 
databases is twofold: On the one hand, it is known from Em that unstratifiable 
rules are strictly more expressive than stratifiable ones and that there are 
interesting queries not expressible by stratifiable databases. On the other hand, 
unstratifiable databases may result when applying rewriting techniques such 
as magic sets to stratifiable databases. Thus, efficient techniques for handling 
unstratifiable rules are of interest in the context of SQL, too, where user rules 
have to be stratified. 

Bottom-up approaches to the computation of well-founded models based on the 
alternating fixpoint operator introduced by Van Gelder m have been proposed 
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in mM, while in |5l6j the computation is based on the residual program sug- 
gested by |7I8J . Despite of the advantages of the residual program approach, its 
notion of conditional facts is hard to implement in a database context. We will 
therefore concentrate on the efficient implementation of the alternating fixpoint 
procedure and on its well-known drawback of repeated computations. In our ap- 
proach, such recomputation is avoided by using update propagation rules leading 
to an incremental algorithm extending the differential evaluation techniques for 
stratifiable databases [2|. In addition, we will provide a solution to stratification 
problems that arise when the magic set method is used in combination with 
update propagation rules. 

2 Basic Concepts 

We consider a first order language with a universe of constants U = {a, 6, c, . . . }, 
a set of variables {X, Y,Z,...} and a set of predicate symbols {p,q,r . . A 
term is a variable or a constant (i.e., we restrict ourselves to function-free terms). 
Let p be an n-ary predicate symbol and ti {i = 1, . . . ,n and n > 0) terms then 
p{ti , . . . , tn) (or simply p(t )) is denoted atom. An atom is ground if every ti is 
a constant. If A is an atom, we use pred{A) to refer to the predicate symbol of 
A. A fact is a clause of the form p{ti , . . . , ^ true where p{ti , . . . , t„) is a 

ground atom. A literal is either an atom or a negated atom. A deductive rule 
is a clause of the form 

p{ti, . . . , tn) Li A ■ ■ ■ A Ljn with n > 0 and m > 1, 

where p(ti , . . . , t„) is an atom denoting the rule’s head, and Li, . . . , Lm are liter- 
als representing the rule’s body. We assume all deductive rules to be safe (allowed 
or range-restricted, respectively); that is, all variables occurring in the head or 
in any negated literal of a rule must be present in some positive literal in this 
rule’s body as well. This ensures that all negated literals can be fully instantiated 
before they are evaluated according to the negation as failure principle. If A is 
the head of a given deductive rule R, we use pred{R) to refer to the predicate 
symbol of A. 

Definition 1 (Deductive Database). A deductive database T> is a tuple 
{J-, TZ) where T is a finite set of facts and TZ a finite set of deductive rules 
such that pred{T) C\pred{TZ) = 0. Within a deductive database T> = {T,TZ), a 
predicate symbol p is called derived (view predicate) , if p G prediTZ). The predi- 
cate p is called extensional (or base predicate), if p & pred(J-). 

Stratifiable deductive rules do not allow recursion through negative predicate 
occurrences. A stratification partitions a given rule set such that all positive 
derivations of relations can be determined before a negative literal with respect to 
one of those relations is evaluated. Given a deductive database V, the Herbrand 
base TLx) of T> is the set of all ground atoms that can be constructed from the 
predicate symbols and constants occurring in T>. Based on these notions we 
will now define the semantics of a deductive database. First, we present the 
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immediate consequence operator introduced by van Emden and Kowalski that 
will serve as the basic operator for determining the semantics of different classes 
of deductive databases. 

Definition 2 (Immediate Consequence Operator). Let V = {T,TZ) be a 
deduetive database. The immediate eonsequence operator T-ji is a mapping on 
sets of ground atoms and is defined for X C TL-d as follows: 

= {A I A €X or there exists a rule A ■(— Li A . . . A Ln € [[72.]] 
sueh that Li G X for all positive literals Li 
and L (fX for all negative literals Lj = ~'L} 

where [[72]] denotes the set of all ground instanees of rules in 72. 

As the immediate consequence operator T-ji is monotonic for semi-positive 
databases, i.e., databases in which negative literals reference base relations only, 
its least fixpoint exists and coincides with the least Herbrand model Sj) of 77, 
i.e., Sx> = Ifp where Ifp denotes the least fixpoint of operator 

T-ji containing T . 

For stratifiable databases, however, the semantics is defined as the iterated 
fixpoint model M.d which can be constructed as follows: Let 77 = 72) be a 

stratifiable database and A a stratification on 77. The partition 72i U . . . U72„0 
of 72 defined by A induces a sequence of least Herbrand models Mi, . . . M„: 

Ml := Ifp M2 := Ifp Mi), . . . , M„ := Ifp M„_i) =: Mj,. 

For illustrating the notations introduced above consider the following example 
of a stratifiable deductive database 77 = (.F, 72) : 

Vx h{X,Y) ^p{X,Y) A^p{Y,X) 6(1,2) 

p(A,F)^6(A,y) 6(2,1) 

p(A,r)^6(A,Z)Ap(Z,F) 6(2,3) 

Relation p represents the transitive closure of relation 6 while relation h selects 
all p(A, y)-facts where Y is reachable from X but not vice versa. A stratification 
postpones the evaluation of h until all p tuples have been derived and the iter- 
ated fixpoint model is given by M-d = TA{p{\, l),p(l, 2),p(l, 3),p(2, l),p(2, 2), 
p(2, 3), 6(1, 3), 6(2, 3)}. Note that the iterated fixpoint model is a generalization 
of the least Herbrand model for semi-positive databases. In chapter 4 we recall 
the well-founded semantics for possibly unstratifiable rule sets which represents 
again a generalization subsuming stratifiable and semi-positive databases. 

3 Update Propagation 

The aim of update propagation is the computation of implicit changes of 
derived relations resulting from explicitly performed updates of the extensional 

^ The symbol U denotes the union of disjoint sets. 
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fact base. As in most cases an update will affect only a small portion of the 
database, it is rarely reasonable to compute the induced changes by comparing 
the entire old and new database states. Instead, the implicit modifications 
should be iteratively computed by propagating the individual updates through 
the possibly affected rules and computing their consequences. Update propaga- 
tion has been mainly studied in order to provide methods for incremental view 
maintenance and integrity checking in stratifiable databases. 

During the last decade, many update propagation methods have been proposed, 
e.g., I1I9I12I13I . In the following, however, we will focus on a propagation method 
which uses the deductive rules given in a database schema to derive deductive 
propagation rules for computing induced updates as proposed in |^. In the fol- 
lowing we will use the notions old and new database state to refer to the database 
state before and after an update has been performed. In addition, we use the 
superscripts and in relation names in order to represent (propagated) 
insertions and deletions respectively. For a positive literal A = r{ti, . . . ,tn) 
we define A+ := r+(ti, . . . ,tn) and A~ := r~{ti, . . . ,tn)- For a negative literal 
L = -lA, we use := A~ and L~ := A~^ . Since an induced insertion or induced 
deletion can be simply represented by the difference between the two consecutive 
database states, the propagation rules for a given rule A ■(— Li A . . . A Ln may 
look as follows: 

A+^L+ A new(Li A ... A L^_i A A ... A L„) A old-iA 
A~ ^ L~ A old(Li A ... A Li_i A A ... A Ln) A new-iA. 

The propagation rules basically perform a comparison of the old and new 
database states while providing a focus on individual updates by with 
v € {+,—}. Each propagation rule body may be divided into two further parts: 

1. The derivahility test ({new | old}(Li A ...Ln)) is performed in order to 
determine whether A is derivable in the new or old state, respectively. 

2. The effectiveness test ({new | old}(-'A)) checks whether the fact obtained 
by the derivability test is not derivable in the opposite state. 

Propagation rules reference both, the old and the new database state. The idea is 
to introduce so called transition rules that simulate the other state from a given 
one. A major advantage of such state simulation is that the underlying system 
need not provide a mechanism allowing deduction on two different database 
states. Although both directions are possible, we will concentrate on a somehow 
pessimistic approach, the simulation of the new state while the old one is actually 
given. In principle, there are two kinds of rules to be considered: 

1. The naive transition rules of a derived relation infer its new state from the 
new states of the underlying relations. Thus, for a rule A ^ Li A . . . A a 
transition rule of the following form has to be considered: 



new A ^ new(Li A ... A L„). 
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2. The incremental transition rules explicitly refer to the computed changes 
such that for every relation two rules of the following form are used: 

new A ^ old A A ~^A~ 
new A ^ A+. 

As transition rules for base relations must explicitly refer to the given update, 
incremental rules are used in this case. It seems obvious to use incremental 
transition rules for derived relations also as they provide a much better focus 
on the induced updates. However, doing so may cause stratification problems 
when propagation and transition rules are considered together |12| . proposes 
an approach which combines incremental and naive transition rules for derived 
relations in such a way that the resulting set of rules is still stratifiable. 

As an example, consider again the deductive database V from chapter 2. The 
update propagation rules for p with respect to insertions into b are as follows: 



propagation rules transition rules 

p+(x,y) ■«- b+(x,Y) A -^p{x,Y) p”"“'(x,y) ^ 6""“’(x,y) 

p+{x, Y) ■«- b+(x, z) A y) A -.p(x, y) p'^^'^lx, y) ^ z) ap""“(z, y) 

p+ (X, Y) t- p+{Z, Y) A y) A ^p(X, 1') Y) <- b+(X, Y) 

h+(x, Y) ■(- p- (y, X) A p"=“’(x, y) A y) y) y) a -.6-(x, y) 

h+ {X, Y) <- p+{X, Y) A -.p^^^cy, X) A -./i(x, Y) 



Note that these rules can be determined at schema definition time and don’t 
have to be recompiled whenever a new transaction is applied. Since we work 
on the old database state, the old-annotations are omitted in the effective- 
ness test. Given the following changes of base relations {6+(3, 1), 6+(3, 4)}, 
the corresponding induced updates computed by the propagation rules are 
{p+(l,4),p+(2,4),p+(3,l),p+(3,2),p+(3,3),p+(3,4)} U 3), /i-(2, 3)} U 

4), /i+(2, 4), /i+(3, 4)}. The effectiveness test makes sure that only true 
updates are computed by the propagation rules; that is, only facts are derived 
which were not derivable in the old database state. Although the application of 
propagation rules indeed restricts the computation of induced updates, the tran- 
sition rules of this example require the entire new state of relation b and p to be 
derived. In order to avoid this drawback, in the evaluation of transition rules 
is already restricted by using the magic set method. As this plays an important 
role for our approach as well, we will discuss and develop this idea further in the 
subsequent sections. 

4 Alternating Fixpoint Compntation 

For unstratifiable rule sets, it is no more sufficient to consider positive and nega- 
tive conclusions only, as we did in the previous chapters. Instead, a three- valued 
semantics ought to be used that allows the specification of undefined facts, too. 
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The implicit state of T> may then be defined as the well-founded model 

iSx) := U • X ~ , 

where C "Hx) are sets of ground atoms and consists of all negations 

of atoms in X~ . The set X~^ represents the true portion of the well-founded model 
while -1 -X~ comprises all true negative conclusions. The set of undefined atoms 
is implicitly given by T-L-d \ (1+ U X ~ ) . The exact definition of and X~ can be 
found in m- For databases having a total well-founded model, as guaranteed 
for stratifiable ones, the set of undefined atoms is empty, and hence the set of 
false atoms can be derived from the set of true ones, i.e., 

X- = ^-X+, 

where X+ denotes the complement of 1+ with respect to the Herbrand base, 
i.e., X^ — Hv For simplicity we will omit the set of negative conclusions 

in the following for databases with a total well-founded model. For the general 
case, however, it is necessary to determine at least two sets of the well-founded 
model. We will now present the alternating fixpoint computation proposed by 
Van Gelder for determining the well-founded model of unstratifiable databases. 
The basic idea of alternating fixpoint computation m is to repeatedly compute 
fixpoints of the given database, each time evaluating negative literals with re- 
spect to the complement of the previously obtained fixpoint. Assuming a fixed 
semantics for negative literals, even unstratifiable databases are reduced to semi- 
positive ones, such that traditional two-valued fixpoint semantics is applicable. 
The subsequently performed fixpoint computations alternately yield underesti- 
mates and overestimates of the set of actually true negative conclusions. The 
composition, however, of two such fixpoint computations is monotonic. Start- 
ing from an empty set of negative literals, the set of negative conclusions is 
constructed monotonically. In order to work on negative conclusions, a new con- 
sequence operator Tx>,j\f is used that gives the set of all positive conclusions 
derivable from T> and from the fixed set of negative literals M . During an appli- 
cation of Txi^, a negative literal -'A is considered true if • A is present in Af. 
In the following we describe the course of computing the alternating fixpoint by 
means of an example. Consider the following unstratifiable deductive database 
T> = (72., consisting of the rule 

e(X) ^ succ(X,Y) A -leCY) 

and the facts 

succ (0,1) , succ (1 ,2) , succ (2,3) , succ (3,4) , succ (4,5). 

The deductive rule defines the even numbers between 0 and 5. At the beginning 
of the alternating fixpoint computation we assume all negative literals to be 
false, i.e., Af = 0. Thus, the first fixpoint coincides with the given fact base: 



Ifp 



(=DTi) 
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The subsequent applications produce the following sequence where Ng is the set 
of negative succ/2 literals: 



lfp(Tb,AfoU^-{e(0),e(l),e(2),e(3).e(4).e(5)}>-?^)= {e(0), ... ,e(3),e(4)} {=NDF'^) 

MTv,NoU^e(5)},:F) =TVJ{em i^DT^) 

lfp(Tb,AfoU^-{e(o),e(i),e(2).e(3).e(5)}>-?^) = U {e(0) , e(l) , e(2) , e(4) } (=NDF^) 

mTv.NoU^.{ei3),e(5)}^^) = .F U {e(2) , e(4) } i=DT^) 

lfp(Tl),AroU-..{e(0),e(l),e(3),e(5)}i -^) = U {e(0), e(2), e(4)} (=NDF^) 

lfp(Tb,AroU-..{e(l),e(3),e(5)}: = -^ U {e(0), e(2), e(4)} [=DT'^) 

lfp(Ti,,w„u^.{e(i),e(3),e(5)},^) = .F U {e(0) , e(2) , e(4) } i=NDF^) 

lfp(Ti),AfoU^-{e(i).e(3),e(5)},-?^) = U {e(0) , e(2) , e(4) } (=DT^) 



The calculation alternates between the computation of subsets of definitely true 
facts {DT'^) and the computation of supersets of not definitely false facts (NDF^) 
using subsets of definitely false and supersets of not definitely true facts in Af, 
respectively. The composition of two steps is monotonic, i.e., the set of true facts 
as well as the set of definitely false facts is monotonically increasing. A fixpoint 
has been reached when the set of definitely false facts does not change any more. 
In the example the well-founded model is then given by 

S-D = DT^ U - • WDF^ 

with the set of true conclusions DT^=FU {e(0), e(2), e(4)}, the set of true nega- 
tive conclusions iViDT'"‘={-ie(l), -ie(3), -ie(5), -isttcc(l, 1), . . . } and the empty 
set of undefined facts. 

This approach to constructing the well-founded model is not particularly well- 
suited for being directly implemented, as it works on negative conclusions. From 
a practical point of view, it would be preferable to deal with positive facts, since 
they can be more easily represented in and retrieved from a database. Such a 
reformulation of the alternating fixpoint procedure has been presented in |10j 
where the sets of not definitely false facts are explicitly stored and only their 
complement is used to refer to true negative conclusions implicitly. This has 
led to the so-called doubled program approach for computing the well-founded 
model. The idea is to introduce for each unstratifiable derived relation referencing 
definitely true facts a second relation for not definitely false facts. In order to 
work on these relations the entire database is doubled and in each half the 
deductive rules are rewritten such that negative literals reference relations of the 
other half. This way, one half is employed for computing definitely true facts, 
and the other one for determining not definitely false facts. However, rules from 
the two halves are never applied together. For our previous sample database this 
leads to 

dt_e(X) ^ succ(X,Y) A -indf_e(Y) 

ndf_e(X) •<— succ(X,Y) A ->dt_e(Y). 

It is not necessary to double base relations E| because they are known to have 

^ It is even not necessary to double relations not relying on unstratified negation but 
this optimization is orthogonal to the following ideas and is left out for simplicity. 
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a total well-founded model. Therefore, the transformation leaves base relation 
succ/2 in its original form. Note that both parts of the doubled database are semi- 
positive if considered separately. In the following we will call this transformation 
douhled-program rewriting |10| . 

Definition 3 (Donbled-Program Rewriting). Let V = {T,TZ) he a deduc- 
tive database and Gt> the corresponding predicate dependency graph. The injec- 
tive mapping dt assigns to each literal L with pred{L) C pred{TZ) its definitely 
true form such that 

- dt{L) := dtjpfti , . . . , tn) if L = p(ti , . . . , is a positive derived literal 

- dt{L) := ->ndf jp{ti , ... ,t„) if L = -ip{ti , ... ,t„) is a negative literal. 

The injective mapping ndf assigns to each literal L its not definitely false form 
such that 

- ndf{L) := ndfjpfti, . . . ,tn) if L = p(ti, . . . ,tn) is a positive derived literal 

- ndf{L) := ->dtjp{ti, . . . , tn) if L = ~'p{ti, . . . , tn) is a negative literal. 

Both mappings may also be applied to conjunctions and sets of literals, i.e., 
dt{Li A . . . A Ln) := A dt{Li), dt{{Li, . . . , Ln}) := U dt{Li) 

l<2<n l<2<n 

ndf{LiA...ALn):= f\ ndf (Li), ndf{{Li,...,Ln}):= U ndf{L,). 

l<2<n l<2<n 

The doubled-program rewriting ofTZ is the set of rules ;= 
and are stratifiable rule sets defined as follows: 

:= {dt{A) ^ dtfW) \ A^WgTZ} 

TT-df ._ [ndf {A) ^ ndf{W) \ A^W gTZ}. 

In order to get access to definitely true and not definitely false facts separately 
after a fixpoint computation has been applied, we introduce the notion dt- and 
ndf-restriction. This is because the fact base contains both, and hence each 
fixpoint may include facts belonging to the other half of the database. 

Definition 4 (dt- and ndf- Restriction). Let V = {T,TZ) be a deductive 
database, V^d = TZ'^d'^ ^/jg deductive database derived from V by applying 

the doubled-program rewriting to TZ and Bxi^f the Herbrand base ofD^d^ pgj- g 
set of ground atoms L C we define: 

I\dt '■= { dt(A) I A G 'H'd \ dF and dt{A) G /} 

I\ndf ■= { ndf(A) I A G TLv \ dF and ndf (A) G I}. 

The algorithm for computing the alternating fixpoint model, called AFP mate- 
rialization in [H] , is given in Alg. [T] Note that because of the doubled-program 
rewriting the inner fixpoint computations may use the simpler immediate 
consequence operator again. In the following sections, this algorithm will serve 
as the starting point for developing techniques that will improve its performance. 
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Algorithm 1 AFP materialization 



i := 0; 

DT°;= 0; 
repeat 
i := i + 1; 

NDF* — Ifp U ndf(Dr-i) U JP')|ndf; 

or := Ifp (T^dt, DT'-i U NDF* U JP')|dt; 
until DT‘ = Dr-i; 

DT := DT' U JF; 

NDF := NDF* U JF; 



The scheme in Alg. [Udefines alternating fixpoint computation as follows: At the 
beginning, is initialized with the empty set. Afterwards, in each round of 
the iteration phase, not definitely false facts are computed and then definitely 
true facts, each time employing the previously obtained fixpoint for evaluat- 
ing negative literals. The iteration terminates if the set of definitely true facts 
does not change any more. The well-founded model iSp is then represented by 
dt-i(DT) U - • ndf-i(NDF). 

5 AFP Materialization Using Update Propagation 

Several optimizations have been proposed for the scheme in Alg. [T] (e.g. in [TO] 
and in 0 ) including layering of rule sets and further rule set restrictions for strat- 
ifiable and semi-positive rules. However, the problem of repeated computations 
of facts remained. Consider again our previous example and the corresponding 
results when applying the scheme in Alg. [H Starting from DT° = 0 we obtain: 

= {nd/_e(0), nd/_e(l), n(i/_e(2), nd/_e(3), nd/_e(4)} 

= {dCe(4)} 

NIDF^ = {nd/_e(0), nd/_e(l), nd/_e(2), nd/_e(4)} 

= {(it e(2), df_e(4)} 

NIDF^ = |n(i/_e(0), nd/_e(2), n(i/_e(4)} 

= |c?t_e(0), dt_e(2), dt_e(4)} 

NIDF"^ = {rwi/_e(0), nd/_e(2), nd/_e(4)} 

= {c?t_e(0), dt_e(2), dt_e(4)} 

In each phase many facts of the previous iteration round are repeatedly com- 
puted, e.g. all definitely true facts of previous iterations are repeated. The 
changes to the sets of definitely true and not definitely false facts, however, 
are caused only by the changes of the other set computed before respectively. 
Since DT-facts as well as NDF-facts represent base facts for the other half, it 
seems to be useful to compute the changes of the DT-facts and NDF-facts only. 
This can be achieved by means of update propagation rules for true updates that 
explicitly refer to the given changes of the base facts. Since the set of DT-facts 
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monotonically increases, it is sufficient to consider propagation rules for induced 
insertions only, whereas for the monotonically decreasing set of NDF-facts, prop- 
agation rules for induced deletions have to be considered only. As stated before, 
for computing true updates, references to both the old as well as the new state 
are necessary. As proposed in chapter 3, we define now propagation and transi- 
tion rules assuming that the old state is present and the new one is simulated, 
generally. For the algorithms to come, however, it turned out to be quite useful 
to consider certain combinations of states in order to get a smaller set of propa- 
gation rules. Therefore, in the following we assume the old DT-, the new NDF- 
and NDF~-facts to be present when propagation rules for computing insertions 
for DT-facts are considered whereas the old DT-, the old NDF- and DT“''-facts 
are present when propagation rules for deletions from the NDF set are evaluated. 

Definition 5 (7^^ Propagation Rules). Let TZ‘^^ be a stratifiable deductive 
rule set. The new^t-mapping assigns to each literal L with pred{L) G pred{TZ‘^*) 
its new dt state relation such that 

- newdt(L) := dt-p^^’^(x), if L = dt_p{x) is a positive derived literal 

- newdt(L) := ~<ndfjp{x), if L = ->ndf jp{x) is a negative literal. 

The mapping may also be applied to conjunctions of literals. The set of propa- 
gation rules for true updates with respect to TZ'^* is denoted TZ^ and is defined 
as follows: For each rule A ^ Li A . . . A L„ G TZ'^* with A = dt.p{x) and each 
negative body literal Li = ->ndf -q{y) a propagation rule of the form 

dt-p~^{x) G- ndf A newdt{Li A ... A Li_i A A ... A Ln) A ~^A 

is in TZ'^, whereas for each positive derived body literal Lj = dtjr{^ a propaga- 
tion rule of the form 

dt-p~^{x) G- dt_r+(z) A newdt{L\ A ... A Tj-i A Tj+i A ... A Ln) A -•A 
is in TZ^2.- other rules are in TZ'^. 

Simulating the new state as in our approach requires the definition of transition 
rules for DT-facts that are positively referenced in a rule’s body in TZ‘^ . Since we 
know that the new state of DT-facts is simply the union of computed insertions 
and (old) facts already stored in the database, i.e., 

c?Ap”®“’(x) ^ dt-p{x) dt4F^^{x) G- dt-p~^{x), 

we will fold the transition rules into the rules in TZ‘^ and denote the resulting 
rule set by TZ‘^f. For the propagation and transition rules of the NDF-facts we 
will now define the sets TZf^^ and respectively. 

Definition 6 Propagation Rules). LetTZ^’^^ be a stratifiable deductive 

rule set. The set of propagation rules for true updates with respect to is 

defined as follows: For each rule A ^ L\ t\ . . . t\ Ln G TZ"^^^ with A = ndf-p{x) 
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Algorithm 2 AFP materialization using update propagation rules 

i ~ 0; 

DT := 

NDF:= Ifp (T-T^ndf , DT) |ndf; 

A+DT°:= +-lfp (T^dt,DTUNDF)|dt; 
repeat 
i := i + 1; 

A NDF := u pj y /l+DT■‘-l, 7 ^^f u tz"’'’ 

DT := DT U tf(A+Dr"^); 

NDF := NDF \ tf(A"NDF*); 

A^Dr := Ifp (T^d, ,NDFUDTU A-NDF*-i)|dt; 

until A+Dr = 0; 



and each negative body literal Li = dt_q{y) a propagation rule of the form 

ndf-p~{x) ^ dt-q^{y) A Li A ... A Fi_i A A ... A L„ A ~^ndf {x) 

is in , whereas for each positive derived body literal Lj = ndfjr{^ a propa- 
gation rule of the form 

ndfjp~{x) ^ ndf.r~{^ A Li A ... A Aj-i A ij+i A ... A L„ A ~^ndf {x) 
is in . No other rules are in . 



Simulating the new state as proposed in the previous section, we have then to 
consider transition rules for the rules, while for the effectiveness test 
can be performed simply over the current database state. 

Definition 7 {R-ntL Transition Rules). Let be a stratifiable deduc- 

tive rule set. The new„df -mapping assigns to each literal L with pred{L) G 
pred{RN'^^) its new ndf state relation such that 

- neWndf(L) := ndf 4 N^'"{x), if L = ndfjp{x) is a positive derived literal 

- neWndf(L) := if L = ->dt_p{x) is a negative literal. 



The mapping may also be applied to conjunctions of literals. The set of tran- 
sition rules Rdfew respect to is defined as follows: For each rule 

A ^ Lx t\ . . . f\ Ln & a transition rule of the form 



neWndf{A) ^ neWndf{Li, . . . L„) 

is in R-nfw while for each negative literal Lj = -•dt-p{x) two transition rules 
dt_p^^^[x) ^ dt-p{x) dt4N^^{x) ^ dt-p~^{x) 



Similar to the previous case, we will fold the transition rules for DT-facts into the 
transition rules for NDF-facts in R-ntw denote the resulting rule set as • 
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Before integrating propagation rules into the AFP materialization scheme, we 
still have to introduce two more notions that allow to transform literals to their 
dynamic form and vice versa. For a ground atom A = p^{ti, .. . ,tn) with v G 
{-I-,—} the tf-mapping is defined as tf{A) := ,tn)} while for i' = 

new the empty set is returned. The mapping may also be applied to a set of 
ground atoms. For a ground atom A = p{ti , . . . , tn) we will use -I- • A to refer to 
. . . ,tn)- This concatenation may also be applied to a set of ground atoms 
and is simply used to transform the initial DT-facts into their dynamic form. 
The modified algorithm for computing the alternating fixpoint model based on 
calculating updates is presented in Alg. [3 The essential difference to the AFP 
materialization procedure is that the algorithm starts with sets of DT- and NDF- 
facts which will be updated only by new DT-facts to be added and NDF-facts 
to be removed within each iteration round until no more new DT-facts can 
be derived. The expensive evaluation of rules with respect to the underlying 
database is restricted to the calculation of the smaller set of induced updates. 
Consider once again our previous example when using the scheme in Alg. |21 
First, we determine the update propagation rules for the sets 7?.'^* and 

■ dt-e+(X) ^ ndf-e~(Y) A succ{X, Y) A ~>dt_e{X) 

-Rjf ■■ ndf.e~{X) G- dt_e+(Y) A succ(A, Y) A -md/_e"'=“’(A). 

The transition rules for ndf are 

'^uLi ■ ^ succ{X, Y) A ~^dt^e{Y) 

ndf.e'^^^ (A) ^ succ( A, Y) A -dt_e+ (A) . 

At the beginning, the set of DT-facts is initialized with the set of base facts and 
the resulting NDF-facts are determined. From this set, the first new DT-facts 
can be calculated yielding Z\+DT° = {dt^e'^ (A)}. In the following loop, Z\“NDF* 
and A+DT* are computed and the corresponding NDF- and DT-set is updated: 

A"NDF^ = {nd/_e- ( 3 ) , (0) , ndf.e'^^'^ ( 1 ) , ndf.e^^'" (2) , ndf-e^‘='^ (4) } 

A+DT^ = {dt-e+{2)} 

A"NDF^ = {nd/_e-(l),nd/_e"®“(0),nd/_e”^’"(2),nd/_e"®’"(4)} 

A+DT^ = {dt_e+(0)} 

A"NDF^ = {nd/_e”®“(0),nd/_e’"'=’"(2),nd/_e”®“'(4)} 

A+DT^ = 0 

Note that using the rule set necessary to determine the iterated 

fixpoint model A4t> for evaluating A“NDFh Although Alg. [3 already provides 
a focus on the changes of DT- and NDF-sets, the iterated fixpoint still includes 
the complete new state simulation of ndf relations derived by their corresponding 
transition rules. The reason for this redundancy is that the materialization of 
side literals within the derivability- and effectiveness test is not restricted to 
the facts that are relevant for the particular propagated update. Hence, even 
the usage of incremental transition rules offers no advantage over the naive ones. 
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The idea adopted from [9] is to use the magic set method in order to focus on the 
relevant part of derivability- and effectiveness test only. The application of magic 
sets with respect to a stratifiable rule set, however, may introduce unstratifiable 
cycles within these rules and thus for their evaluation the alternating fixpoint 
would be jiecessary. To avoid this twist, we propose a different consequence 
operator T in order to get rid of the concept of stratification at all. 

We will now introduce the new rule sets for and after applying 

magic set by means of our example. For each rule in we apply the magic 
set rewriting with respect to the abstract (propagation) queries represented by 
ndf 4 >~{x) atoms with ndf-p~ £ pred{TZ’^^). In the example this would lead to 

: nd/_e" (X) ^ dt_e+ (F ) A succ{X, Y) A {X) 



: msjndf-e^'^'^{X) ^ dt_e'^{Y) A succ{X, Y) 

where the rule set consists of all transformed propagation rules and 

the rule set contains all corresponding sub-query rules. For each rule in 

^PPly the magic set rewriting with respect to all sub-queries defined 
in leading to rule set ■ In the example this set is given by 

: ndf ^ ms jndf {X) A succ{X, Y) A ~^dRe(Y) 

nd/_ej®“(A') ^ msjndf.e^‘^'^{X) A succ(X,Y) A ~'dt_e~^{Y). 



As mentioned above, combining these three sets would lead to an unstratifiable 
rule set. This unstratifiability is solely caused by the effectiveness test in 
which negatively refers to new state literals in We will therefore consider 

the transformed propagation rules and the transformed transition rules 

'^newndf 'j^Andf i i n^new 

'^ms ' '^ms ^ '^ms 

separately (getting two stratifiable rule sets) and introduce a new sequential 
consequence operator T for their evaluation. 



Definition 8 (Sequential Consequence Operator). Let V = {tF,TZ) be a 
deductive database, TZ\ U 7^2 a partition ofTZ and X C Tt-p a set of ground atoms. 
The sequential consequence operator is defined as 

■.= TnAlfp(Tn,,X)). 



The basic property of is that before i ?2 is applied once, the rule set 

is evaluated until no more derivations can be made. Using and 

as first and second rule set, the operator makes sure that all necessary new 



state facts are derived before a propagation rule using these facts within its 



derivability and effectiveness test is evaluated. As the sequential consequence 
operator is monotonic for the stratifiable rule sets and its 



least fixpoint exists and coincides with the total well-founded model 5p of 



pnewndf J — ^^P (T^pnewndf pzind/ ^ , T). 
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Algorithm 3 AFP materialization using magic update propagation rules 

i 0; 

DT — T- 

NDF:= Ifp (Tjjndf , DT) |ndf; 

Z\+DT°:= -h-lfp (T^dt,DTUNDF)|dt; 

repeat 

i := i -I- 1; _ 

A NDF* ;= Ifp (T'^Tjnewndf Tjzlndf^ , NDF U DT U A'*'DT' ^)|ndf; 

DT := DT U tf(A+DT'^”^); 

NDF := NDF \ tf(A"NDF*); 

A'^Dr := Ifp (f(0,^zid,),NDFuDTU A-NDF*-i)|dt; 
until A+Dr = 0; 



The least fixpoint of T with respect to the rule sets and corre- 

spends to the fixpoint of the following sequence: 

Ifp (2^^newndf, T) 

'■= T-jiAndi{Ti) 

^3 := Ifp (Tn newndf , ^2) 

•^4 := T-f^^ndf{T3) 



As the transition rules in contain negative literals referencing base rela- 
tions only, i.e., DT and DT^ relations, the semantics of can be deter- 

mined by applying the simple immediate consequence operator. The application 
of T^T^newndf Tj/ind/) thcn altematcs between the determination of induced deletions 
from NDF after proving their effectiveness within the inner fixpoint calculation. 
Starting from the set of base facts, the effectiveness of all induced updates to be 
derived is tested one iteration round before in the inner fixpoint computation 
such that the operator never evaluates negative literals too early. The scheme 
in Alg. [3] defines how to compute the well-founded model using magic set trans- 
formed update propagation rules. 

The overall evaluation scheme remained as in Alg. [2 The basic difference can 
be found in the A“NDF*-sets, as only relevant new state facts are computed: 

DT = T 

NDF = {nd/_e(0), nd/_e(l), nd/_e(2), nd/_e(3), nd/_e(4)} 

A+DT° = {dt_e+(4)} 

A-NDF^ = {nd/_e-(3),ms_n(i/_e""“(3)} 

A+DT^ = {dt_e+(2)} 

A“NDF^ = {nd/_e“(l), 
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A+m^ = {dt^e+{0)} 

Z\-NDF^ = Z\+DT^ = 0 

In each phase, only those facts are computed that lead to changes in the corre- 
sponding DT- and NDF-set avoiding full materialization of new state relations. 



6 Conclusion 

In this paper, we have presented a new efficient bottom-up evaluation procedure 
for computing well-founded models of function-free rules in the context of deduc- 
tive databases. This procedure provides a practical method for handling normal 
logic programs that involve unstratified negation in a manner that may be mixed 
with other approaches such as layering, sips and further rule set restrictions [H]. 
Based on the doubled program approach m we use update propagation rules in 
order to restrict computation to changes of definitely true and not definitely false 
facts. Because of the specific context, we are able to solve stratification problems 
which arise if the magic set transformation is used in combination with propaga- 
tion rules by introducing a new consequence operator. Although the technique of 
combining magic sets with update propagation rules as proposed in j9] needs to 
be further investigated we showed its useful application in our context already. 
Our approach is closely related to the work in for optimizing the residual 
program evaluation. Despite of the additional sub-query and transitional facts 
needed in our approach our transformation based method is easy to implement 
providing similar enhancements as j6]. 
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Abstract. We propose a categorical framework which formalizes and 
extends the syntax, operational semantics and declarative model theory 
of a broad range of logic programming languages. A program is inter- 
preted in an indexed category in such a way that the base category 
contains all the possible states which can occur during the execution of 
the program (such as global constraints or type information), while each 
fiber encodes the logic at each state. 

We define appropriate notions of categorical resolution and models, and 
we prove the related correctness and completeness properties. 



1 Introduction 

One of the greatest benefits of logic programming is that it is based upon the 
notion of executable specifications. The text of a logic program is endowed with 
both an operational (algorithmic) interpretation and an independent mathemat- 
ical meaning which agree each other in several ways. 

An operational interpretation is needed if we wish to specify programs which 
can be executed with some degree of efficiency, while a clear mathematical 
(declarative) meaning simplifies the work of the programmer, who can -to some 
extent- focus on “what to do” instead of “how” . The problem is that operational 
expressiveness (i.e. the capability of directing the flow of execution of a program) 
tends to obscure declarative meaning. Research in logic programming strives to 
find a good balance between these opposite needs. 

Horn logic programming was one of the first attempts in this area and surely 
the most famous. However it has limitations when it comes to real programming 
tasks. Its forms of control flow are too primitive: there are simple problems (such 
as computing the reflexive closure of a relation) which cannot be coded in the 
obvious way since the programs so obtained do not terminate. The expressive 
power of its logic is too weak, both for programming in the small and in the large: 
it lacks any mathematically precise notion of module, program composition, 
typing. Moreover, if we want to work with some data structure, we need to 
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manually code the behavior and constraints of such a structure in the Horn 
logic, often obscuring the intended meaning of the code. 

For these reasons, various extensions have been proposed to the original 
framework of Horn clause, often borrowing ideas from other paradigms. Some 
noteworthy extensions are the use of algebraic operators for modularization 0, 
the use of more powerful extensions to the logic [21], control operators like the 
“cut” of PROLOG and abstract data types [20]. The effect has been to expand 
the boundaries of the field and the notion itself of declarative content of a pro- 
gram. We lack criteria for good language design and models to evaluate the new 
features, or to formalize the very notion of declarative programming. 

Moreover, semantic methods for Horn logic programming are increasingly 
similar in spirit to those for functional and imperative programming, under the 
stimulus of techniques such as abstract interpretation [120. This suggests look- 
ing for a sufficiently flexible new logic programming foundation using a frame- 
work in which all these paradigms can be well understood. Categorical logic 
seems an excellent candidate for such an undertaking. 

Categorical approaches to logic programming go back to the treatment of 
unification given by Rydeheard and Burstall in [23j . Building on this work, in [3] 
the syntax of Horn clause logic is formalized using categorical tools and a topos- 
theoretic semantics. In uni, following some basic ideas already developed in m. 
a categorical analysis of logic program transitions and models is given using 
indexed monoidal categories. The framework that we propose here builds on 
some of the ideas in that paper, which have proved seminal, but which fall short 
of formulating the kind of general blueprint we seek for declarative programming. 

The approaches just cited focus on the operational or model theoretic side of 
logic programming, but lack any bottom-up denotational semantics like the Tp 
operator of van Emden and Kowalski |25| . For us, the immediate consequence 
operator seems to be a cornerstone of logic programming, since it appears, in 
one form or another, across several semantic treatments of logic programs [4]. 
Most of the studies in the semantics of logic programming are heavily based 
on the existence of some fixpoint construction: treatments of compositionality 
of semantics [H] , modularity [3] , static analysis m, and debugging |2]. For this 
reason, it seems to us that further investigation of a categorical framework which 
includes a form of bottom-up semantics is advisable. 

The first step in this direction was taken in m, which uses categorical syntax 
over finite r-categories m It is the starting point for introducing both a notion 
of categorical SLD derivation and a denotational semantics which resembles 
the correct answer semantics for Horn logic programs. This semantics can be 
computed with a fixpoint construction and it can be shown to agree with a more 
general notion of categorical derivation. 

1.1 The New Approach 

Our framework starts from the work in m and M- However, we redefine the 
fundamental categorical structures with the hope of generalizing the methods in 
three main directions: 
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— in the ability to treat other kinds of semantics other than the “correct an- 
swers” one. The concept of interpretation must be far broader than that of 
|13| . allowing for semantic domains different from Set'^ ; 

— in the ability to treat programs with constraints between goals. This means 
that we must provide a new bottom-up operator which works for a generic 
syntactic category and not only with C[Xi , . . . , X„]; 

— in the adaptability to different logic languages. In particular, we would like 
to treat languages such as CLP or add some control operators to the pure 
logic programming. 

To pursue these goals, we move to a more general categorical interpretation of 
logic. Instead of taking goals to be monies in the category C, we use an indexed 
category over C. An object in the fiber a G Obj(C) will be the categorical 
counterpart of a goal of sort a. It is the standard indexed/fibrational categorical 
interpretation of full first order logic, as can be found in, e.g. [2TO . 

To simplify the presentation, we begin without any kind of monoidal struc- 
ture in the fibers. These means we are not able to handle conjunction in goals 
externally and compositionally: we are restricted to so-called binary clauses. 
However, adding monoidal structures is quite straightforward, and it has been 
done in [T]. 



1.2 Notation 

We will assume the reader is familiar with the basic concepts of logic program- 
ming |2] and category theory j^. Here, we only give some brief definitions and 
notation. Basic categorical background for logic programming can be found in 

e.g. mnHi 

Given a category C, we denote by Obj(C) and Mor(C) the corresponding 
classes of objects and morphisms (arrows). With id a we denote the identity 
arrow for the object A, while 1 is the terminator, x the product and V denotes 
coproducts. We use V as a functor, applying it to objects and arrows as well. 
Given f : A ^ B and g : B C, we write / ; g for their composition. With 
Homc(H, B) we denote the class of morphisms from A to i? in C. We omit the 
index C when it is clear from the context. Given a functor B : C C, a fixpoint 
for f is a pair (a, t) such that t : Fa a is an isomorphism. 

We denote sequences by writing one after the other its elements. We use A 
to denote an empty sequence and • as the juxtaposition operator. 

A (strict) indexed category over C is a functor T : C° — > Cat, where C° is 
the opposite category of C and Cat is the category of all small categories. We 
refer to objects and arrows in C° with the same symbols of their counterparts 
in C. Given a G Obj(C°), the category iPa is the fiber of IP over a. An indexed 
functor from P : C° — ?► Cat to Q : 1D)° — ^ Cat is a pair (F, r) such that F : C D 
is the change of base functor and r : P — > F° ; Q is a natural transformation. 
An indexed natural transformation ij : (F,t) — >■ {F' ,t') : P — ^ Q is given by a 
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pair (^, i5) such that ^ : F F' is a, natural transformation and i5 is a C-indexed 
family of natural transformations 

5a -Ta r'a] Q(^a) ( 1 ) 

subject to some coherence conditions. A detailed treatment of indexed categories 
and fibrations can be found in m- 

2 Syntax 

In the following, we introduce several kinds of indexed categories called doctrines 
PI- We abuse terminology, since a doctrine is generally understood to be an 
indexed category where reindexing functors have left adjoints, and this property 
does not always holds for our doctrines. We have chosen this terminology to 
emphasize the relation between indexed categories used for the syntax and the 
semantics (which are actually Lawvere doctrines). 

Definition 1 (Logic programming doctrine). An LP doctrine (logic pro- 
gramming doctrine) is an indexed eategory tP over a base eategory C. For eaeh 
a € Obj(C), objects and arrows in Pa are ealled goals and proofs (of sort a) 
respectively. Given a goal G of sort a and f : p a in C, Pf{G) is an instance 
o/G. We also denote it by f'^G or G(/). 

We write G : a and f : a as a short form for G G Obj (Ter) and / G Mor(Pa). 
Given an LP doctrine P, a clause (of sort a) is a name cl, with an associated 

cl 

pair (Tl, Hd) of goals of sort a, that we write as Hd ^ — Tl. 

Definition 2 (Logic program). A logic program is a pair (P,P) where P is 
an LP doctrine and P a set of clauses. We often say that P is a program over 
P. 



It is possible to see a logic program as an indexed category P over Obj(C) 
such that Pa is the category of goals of sort a with arrows given by clauses of 
sort a. 

The idea underlying the framework is that the base category represents the 
world of all possible states to which program execution can lead. At each state, 
the corresponding fiber represents an underlying theory: a set of deductions 
which can always be performed, independently of the actual program. A clause 
is a new deduction, which we want to consider, freely adjoined to the proofs in 
the fibers. 

The advantage of using categories is that we do not need to restrict our 
interest to syntactical terms and goals. We can choose any base category we 
desire and build binary logic programs over terms which are interpreted already 
at the syntactic level in the base. 

Example 3 (Binary logie programs) . Assume C is a finite product category. We 
can think of C as a not necessarily free model of an appropriate many-sorted 
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signature. We can build a syntactic doctrine for binary logic programs where 
terms are arrows in this category. We need to fix a signature U for predicates 
over C, i.e. a set of predicate symbols with associated sort among Obj(C). We 
write p : a when p is a predicate symbol of sort a. Then, we define an indexed 
category T/7 over C: 

— T77(cr) is the discrete category whose objects are pairs (p, /) such that p : p 

in n and / : ct — >■ p is an arrow in C. To ease notation, we write p(/) instead 

of (p, /); 

— Tnif), where /: p cr, is the functor mapping p(t) G Obj(T77(cr)) to 

The interesting point here is that terms are treated semantically. For example, 
assume C is the full subcategory of Set whose objects are the sets N* for every 
natural i and p : N is a predicate symbol. If succ and fact are the functions for 
the successor and factorial of a natural number, then (succ ; succ ; succ)®(p(3)) = 
fact**(p(3)) = p(6). 

In the previous example, the fibers of the syntactic doctrine were discrete 
categories freely generated by a set of predicate symbols. When we define the 
concept of model for a program, below, it will be clear we are not imposing any 
constraints on the meaning of predicates. In general, we can use more complex 
categories for fibers. 

Example 4 (Symmetric closure of predicates). In the hypotheses of Example |3] 
assume we have two predicate symbols p and symp of sort p x p, and we want to 
encode in the syntactic doctrine the property that symp contains the symmetric 
closure of p. Then, we freely adjoin to Tn the following two arrows in the fiber 
px p: 



ri : p — >■ symp , 

T2 : p symp{(K2,TTi)) , 

where tti and 7 T 2 are the obvious cartesian projections. We call the new 

LP doctrine we obtain. The intuitive meaning of the adjoined arrows is evident. 



3 Models 



A key goal of our treatment is to consider extensions to definite logic programs 
without losing the declarative point of view, namely by defining a corresponding 
straightforward extension of the notion of model for a program. 

Functors (E, r) of LP doctrines will be called interpretations. For every goal 
or proof X in the fiber tr, we write Trj{x) as \x\„. We also use |x| when the fiber 
of X is clear from the context. 



Definition 5 (Models). Given a program P over the doctrine IP, a model of 
P is a pair ( |_] , l) where |_] : IP — >■ Q js an interpretation and b is a function 

which maps a clause Hd T1 € P to an arrow |Hd] |T1|. 
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In the following, a model M = (|-| , t) will be used as an alias for its con- 
stituent parts. Hence, M{d) will denote l{cI) and Ma{G) will denote IGJ^. The 
composition of M with an interpretation N is given as the model (|_| ; iV, t ; N) . 

Example 6 (Ground answers for binary logic programs). Consider the LP doc- 
trine lP/7 defined in Example El and the indexed category Q over C such that 

-- for each a S Obj(C), Q(ct) = p(Homc(l, ct)), which is an ordered set viewed 
as a category; 

- for each / G Homc(cr,p), Q{f){X) = {r G Homc(l,cr) | r ; / G X}. 

An interpretation |_| maps an atomic goal of sort u to a set of arrows from the 
terminal object of C to a. These arrows are indeed the categorical counterpart 
of ground terms. 

Two significant models are given by the interpretations which map every goal 
G of sort a to Hom(l,(r) or to 0 . Clauses and arrows are obviously mapped to 
identities. If we see Hom(I, a) as the true value and 0 as false, they correspond 
to the interpretations where everything is true or everything is false. 

When the syntactic doctrine is discrete, as in the previous example, an inter- 
pretation from T to Q can map every object in T to every object in Q, provided 
this mapping is well-behaved w.r.t. reindexing. However, in the general case, 
other restrictions are imposed. 

Example 7 . Assume the hypotheses of Example S] Consider the LP doctrine Q as 
defined in Example El An interpretation |_] from to Q is forced to map the 

arrows r\ and r2 to arrows in Q. This means that |sympj| A |pj| and |symp] A 
Jp((7r2, TTi))], i.e. |symp] A |pj ; (712, tti). In other words, the interpretation of 
symp must contain both the interpretation of p and its symmetric counterpart. 

One of the way to obtain a model of a program P over IP is freely adjoining 
the clauses of P to the fibers of IP. We obtain a free model of P over 7. 

Definition 8 (Free model). A model M of {P,7) is said to be free when, 
for each model M' of (P, CP), there exists an unique interpretation N such that 
M' = M-N. 

It is easy to prove that, if M and M' are both free models for a program 
(P, CP) in two different logic doctrines Q and CP, then Q and CP are isomorphic. 

4 Operational Semantics 

Our logic programs also have a quite straightforward operational interpretation. 
Given a goal G of sort cr in a program (P, CP), we want to reduce G using both 
arrows in the fibers of CP and clauses. This means that, if cc : G ^ T1 is a clause 
or a proof in CP, we want to perform a reduction step from G to Tl. 
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In this way, the only rewritings we can immediately apply to G are given by 
rules (proofs or clauses) of sort a. It is possible to rewrite using a clause cl of 
another sort p only if we find a common “ancestor” a of cr and p, i.e. a span 




(7 p 



in the base category such that G and the head of cl become equal once they are 
reindexed to the fiber a. 

Definition 9 (Unifier). Given two goals Gi : cti and G 2 : (J2 in o,n LP doctrine 
CP, an unifier for them is a span {t\,t2) of arrows of the base category such that 
<1 : a — > tTi, ^2 : Of — >■ ct2 and ti^Gi = t2**G2 

Unifiers for a pair of goals form a category Unifo^^ where arrows from 
(UU2) to (ri,r2) are given by the common notion of arrow between spans, i.e. 
a morphism / : dom(ti) — ^ dom(ri) such that /; ri = ti and /; r2 = ^2- 

Definition 10 (MGU). A most general unifier (MGU) for goals Gi : cti and 
G2 : (72 in an LP doctrine 'S’ is a maximal element of Unif(^^ ■ 

Example 11 (Standard mgu). Consider the indexed category CP 77 as in Example 
1 ^ Given goals pi(ti) : cti and ^2(^2) : ( 72 , an unifier is a pair of arrows r\ \ a u\ 
and T2 : a — t CT2 such that the following diagram commute: 

a — ^ C 7 i ( 3 ) 

1"2 ti 

(72 ^P 

ti 

This is exactly the definition of unifier for renamed apart terms t\ and t2 given 
in [3j, which corresponds to unifiers in the standard syntactic sense. Moreover, 
the span (ri,r2) is maximal when ([ 3 | is a pullback diagram, i.e. a most general 
unifier. 

Note that in the standard syntactic categories with freely adjoined predicates 
there is no unifier between goals pi(ti) and ^2(^2) if Pi ^ P2- However, this does 
not hold in our more general setting. Actually, in a completely general doctrine, 
we have a notion of logic program and execution without any notion of predicate 
symbol at all. 

In the same way, it is possible to reduce a goal G : cr with a proof / : Hd ^ 
TI in the fiber p iff there exists an arrow r : p a such that r**G = Hd. We 

call a pair (r, /) with such properties a reduction pair. Reduction pairs form a 
category such that t G Mor(C) is an arrow from (ri,/i) to {r2,f2) if ?'i = t;r2 
and = /i- A most general reduction pair is a maximal reduction pair. Note 
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that most general unifiers or reduction pairs do not necessarily exist. This is not 
a big problem since all the theory we develop works the same. 

Following these ideas, it is possible to define a categorical form of SLD deriva- 
tion. 

Definition 12 (Categorical derivation). Given a program we define 

a labeled transition system (l+Jcrgobj(C) '^) goals as objects, ac- 

cording to the following rules: 

backchain-clause G if cl is a clause Hd T1 and {r,t) is an 

unifier for G and Hd (i.e. r'^G = 

(r f) 

backchain-arrow G ' ■- u T1 if G is a goal in the fiber a, f : Hd c— T1 is o 
proof in the fiber p and (r, /) is a reduction pair for G. 

A categorical derivation is a (possibly empty) derivation in this transition sys- 
tem. 

If we restrict SLD-steps to the use of most general unifiers and most general 
reduction pairs, we have a new transition system (l+Jo-gObj(C) Obj(iPCT), g) and 
a corresponding notion of most general (m.g.) categorical derivation. In the 
following, when not otherwise stated, everything we say about derivations can 
be applied to m.g. ones. 

If there are goals Gq, . . ■ , G^ and labels Iq, . . . ,h-i with i > 0 such that 

Go-fe.Gi---G,_i^G, (4) 

we write Go Gi where d = Iq - ■ ■ k-i is the string obtained by concatenating 
all the labels. Note that d ^ X uniquely induces the corresponding sequence of 
goals. We will write cg for the empty derivation starting from goal G. 

Given a derivation d, we call answer of d (and we write answer(d)) the arrow 
in C defined by induction on the length of d as follows 

answer(eG) = ida if G : cr 

answer((r, f)-d)= answer((i) ; r 
answer((r, t, a) ■ d) = answer(d) ; r 

In particular, we call most general answers the answers corresponding to m.g. 
derivations. 

Example 13 (Standard SLD derivations) . Consider a program P in the syntactic 

doctrine tPn and a goal p{ti) of sort cr. Given a clause p{t 2 ) < — q{t), and an 
mgu (ri,r 2 ) for p{ti) and p{t 2 ), we have a most general derivation step 

(j(r2;t) . (5) 

This strictly corresponds to a step of the standard SLD derivation procedure for 
binary clauses and atomic goals. 
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However, in the categorical derivation, it is possible to reduce w.r.t. one of 
the identity arrows of the fibers. Therefore, if p{t) : a, 

( 6 ) 

is an identity step which does not have a counterpart in the standard resolution 
procedure. However, these steps have an identity answer. Therefore, fixing a goal 
p{t), the set 



answer{d | d : p{t) '^g* G} (7) 

is the set of partial answers for the goal p{t) . 

We can use categorical derivations to build several interesting models for logic 
programs. In particular, with the answer function we can build models which are 
the general counterpart of partial computed answers, correct answer and ground 
answers. 

Example 14 (Model for ground answers). Consider a program P in IP77 and an 
interpretation |_| in the LP doctrine Q defined in Example E] such that 

|p(t)] = {answer(d) | d : p{t) '^g* G is a m.g. ground derivation} , (8) 

where a ground derivation is a derivation whose last goal is in the fiber 1P(1). 

Now, for each clause pi{ti) < — ^2(^2), if d is a m.g. ground derivation of ^2(^2), 
then 

d'=pi{h) -d (9) 

is a m.g. ground derivation for pi{ti) with answer(d') = answer(d). Therefore, 
Ipi(^i) 1 2 [[P2(i2)] and this gives an obvious mapping t from clauses to arrows 
in the fibers of Q. It turns out that (|_] , t) is a model for P. 

5 Completeness 

Assume given a program P over the LP doctrine T : C° — ^ Cat. It is possible to 
use categorical derivations to obtain a free model of P. First of all, consider the 
following definitions: 

Definition 15 (Flat derivations). A derivation is called fiat (on the fiber a) 
when all the r fields in the labels of the two backchain rules are identities (on 
a). 

Definition 16 (Simple derivations). A derivation is called simple when 

— there are no two consecutive backchain-arrow steps, 

— there are no backchain-arrow steps with identity arrows f. 
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Given a derivation d : Gi^G 2 with answer(fi) = 9, there is a canonical flat 
simple derivation d : 9^Gi'^G2 obtained by collapsing consecutive backchain- 
arrow steps. If we deflne a congruence = on derivations such that 

di = c ?2 answer(di) = answer(d 2 ) and di = S 2 , (10) 

it is possible to deflne an LP doctrine 7 p over C such that ffp(cr) is the category 
of equivalence classes of flat simple derivations on the fiber a. 

Now, we can deflne an interpretation |_]| = (idc,T) from IP to ILp and a 
function l such that: 

- t^{G) = G; 

- : G ^ G') = [G'-^^^^G]_; 

- t(Hd ^ Tl) = [Hd 

We obtain that (|_] , t) is a free model of P, which we will denote by Fp. Then, 
we have the following corollaries: 

Theorem 17 (Soundness theorem). Assume given a program P inT, a goal 
G and a model M = (|-] , (•) : T — f Q. If d is a derivation from G to G' 
with computed answer 0, there exists an arrow 0'^ |G]| in Q, where 

p = arrow(ci) is defined by induction: 

arrow(eG) = idc 

arrow(c? • (r, /)) = r**(arrow(d)) ; / 
arrow(d • (r, t, cl)) = r**(arrow(d)) ; t**(r(c/)) 

Theorem 18 (Completeness theorem). Assume given a program P in T, 
a free model M : IP — >■ Q and goals G, G' of sort a. If there is an arrow 
f : M(G) — >■ MiG') in the fiber M {a) ofQ, then there is a simple flat derivation 

G' G. 

6 Fixpoint Semantics 

Assume we have a program (P, T). We have just defined the notions of SLD 
derivations. Now, we look for a fixpoint operator, similar in spirit to the imme- 
diate consequence operator Tp of van Emden and Kowalski 1251 . Starting from 
an interpretation |_J : CP — >■ Q, our version of Tp gives as a result a new interpre- 
tation |_]|' : CP — > Q which, in some way, can be extended to a model of P with 
more hopes of success than |_]|. 

Our long term objective is the ability to give fixpoint semantics to all of the 
possible programs in our framework. However, in this paper we will restrict our 
attention to a subclass of programs which have particular freeness properties. 

Definition 19 (Goal Free logic program). A logic program (T, CP) is called 
goal free when there is a set {Xi : ai,. . . , A„ : cr„} of sorted generic goals with 
the following properties: 
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— y is obtained from an LP doctrine T by freely adjoining the generic goals to 
the appropriate fibers of CP; 

— there are no clauses targeted at a goal in T. 

An instance of a generic goal is called dynamic goal. We want to stress here 
that only the meaning of dynamic goals is modified step after step by the fixpoint 
construction, while all the goals in T have a fixed meaning. Note that, given 
|_]| : T — >■ Q, the interpretation of all the dynamic goals only depends from the 
interpretation of generic goals. Intuitively, dynamic goals are those defined by the 
program P, and which are modified incrementally by bottom-up approximation. 
Fixed goals are the built-in predicates contributed by the ambient theory. 

Example 20. If P is a program over the syntactic doctrine IP 77 of Example 0 
then it is goal free. Actually, we can define IP : C° — > Cat such that 

— for each tr S Obj(C), y{a) = 0, i.e. the empty category; 

— for each t € Mor(C), J’(t) = idg. 

Then T 77 is obtained by P freely adjoining a goal p{ida) for each p : a G II. 

However, if we consider the syntactic doctrine in Example |4l then a program 
P must not have any arrow targeted at p or symp if it wants to be goal free. 

In order to define a fixpoint operator with reasonable properties, we require 
a more complex categorical structure in the target doctrine Q than in T. 

Definition 21 (Semantic doctrine). A semantic LP doctrine Q is an LP 

doctrine where 

— fibers have coproducts and canonical colimits of oj-chains; 

— each reindexing functor Qt has a left-adjoint and preserves on the nose 
canonical colimits of ui-chains. 

We will drop the superscript Q from when it is clear from the context. If 
we only work with finite programs, it is enough for fibers to have only finite 
coproducts. 

Example 22. Given a finite product category C, consider the indexed category 
Q as defined in Example 0 It is possible to turn Q into a semantic LP doctrine. 
Actually: 

— each fiber is a complete lattice, hence it has coproducts given by intersection 
and canonical colimits of w-chains given by union; 

— we can define 3^, with f : p a as the function which maps an X C 
Homc(l,p) to 

32(X) = {t;/|teX} (11) 

which is a subset of Home ( 1 , o') . 

We can prove that all the conditions for semantic doctrines are satisfied. 
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Now, assume we have an interpretation |_| = (_F, r) from T to Q, where Q is a 
semantic LP doctrine. We want to build step after step a modified interpretation 
which is also a model of P. With a single step we move from |_J| to Ep(|_J) = 
{F,t') where 



while t' = T restricted to T. We should define r' on arrows but, since there are 
only identities between dynamic goals, the result is obvious. 

In the same way, if 5 is an arrow between interpretations, we have Ep((5) = 5', 
where 



Since the only non-trivial arrows are in IP and 5„ is a natural transformation for 
each tr, the same can be said of 5'^. It follows that Ep is well defined. 



It is interesting to observe that there is a canonical transformation v between 
|_]| and Ep(|_]|) given by: 



where in is the appropriate injection. Therefore, we can build an w-chain 



and we can prove that the colimit Ep(|_]|) is a fixpoint for Ep. Finally, we have 
the following: 

Theorem 23. Given a program (P, IP), a semantic LP doctrine Q and an in- 
terpretation |_] : IP — >■ Q, then Ep has a least fixpoint greater than |_]. Such a 
fixpoint can be extended to a model of P in Q. 

Example 24- If we write the definition of Ep in all the details for the syntactic 
doctrine in Example we obtain 



Ep([-I)a.(^0 = [X.IU U {/;t |/;re [X,],dom(/) = l} , (17) 



r;^(W) = I^,lV V 3 p4T1] , 



Xi(t)-i—TlGP 



( 12 ) 



r;(W(t)) = i“«(W)) , 






TlGP 



(13) 



<5;,G = ^^.GifGGObj(T) . 



= IX,],, XV E([_]),,(W) , 



(14) 

(15) 

(16) 



Va,G = idc if G G Obj(T) , 




X.{t)^Xj{r) 



Ep(I-l).,(X,(t)) = {/|/;tG [Tl]} . 



(18) 
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If we work with C defined by the free algebraic category for a signature S, then 
Ep(|_J|) becomes equivalent to the standard Tp semantics for logic programs. 

Assume C = Set. Moreover, assume we have two predicate symbols p : N and 
true : 1 and two clauses p(succ ; succ) ^ p{idn) and p(0) t— true. Let |_] be the 
unique interpretation which maps true to Hom(l, 1) and p to 0. Then, we can 
compute successive steps of the Ep operator starting from |_], obtaining 

E°p(|_l)(p)=0 

Ekl-D(p) = {0} 

Ep(I-l)(p) = {0,2} (19) 

Ep(I-l)(p) = {0,2,... ,2(n-l)} 

where we identify an arrow / : 1 — ^ N with /(•), i.e. / applied to the only 
element of its domain. If we take the colimit of this w-chain, we have 

E5i(I-l)(p) = {/ : 1 -t N I /(•) is even } , (20) 

which is what we would expect from the intuitive meaning of the program P. 

7 An Example: Binary CLP 

We are going to show that our categorical framework can handle quite easily the 
broad class of languages known with the name of constraint logic programming 
m- It is evident we need a categorical counterpart of a constraint system. We 
refer to the definition which appears in [22j . 

Definition 25 (Constraint system). A constraint system over a finite prod- 
uct category C is an indexed category over C such that each fiber is a meet 
semilattice and reindexing functors have left adjoints. 

Now, given a constraint system D over C, let us denote by D the corre- 
sponding category we obtain by the Grothendieck construction |16| . To be more 
precise: 

— objects of D are pairs {a, c) where cr G Obj(C) and c G Obj(D(cr)); 

— arrows in ID from (cri,ci) to {< 12 , 02 ) are given by arrows / : ui — >■ (T 2 in C 
such that Cl < /**C 2 . We denote such an arrow with (/, ci < C 2 ). 

Given a predicate signature U over C, we define a new LP doctrine T® over 
D. For each (cr, c) in ID, the corresponding fiber is the discrete category whose 
objects are of the form c □ p{t) with p : p in II and t : a — > p. For each arrow 
if, Cl < C2), the reindexing functor maps C2 Opft) to ci Op{f ; t). 

Now, we fix a program P. For each goal cDpi{f) of sort (cr, c) and clause 

c' □pi(/i) c' \3p2{f2) of sort (cr',c'), let (r, t) be the mgu of / and /i in C, 
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and c" = r^cAt'^c'. Then ((r, c" < c), {t, c" < ci)) is an mgu of G and d in 
We can perform a m.g. SLD step 



< c),{t,c' < c),cl) „ 

Lr 



□P2(t;/2) • 



(21) 



As a result, a clause that we typically write as pi(ti) ^ cOp 2 {t 2 ), with pi(ti), 
^2(^2) and c of sort cr, behaves like a clause cDpi(fi) 4— cDp2(^2) of sort (cr,c) 
in our framework. 

We can also build a semantic doctrine Q over ID such that the fiber corre- 
sponding to (cr, c) is the lattice of downward closed subsets of constraints of sort 
a less than c, i.e. 

Q(cr,c) = pj,{c' G Obj(®CT) I c' < c}. (22) 

Moreover, 

Q(/, Cl < C2)(A) =; {ci A /«c I c G A} , (23) 

^ff,c,<c,)(X)=i{3fc\c€X} . (24) 

where T is the downward closure of the set of constraints Y. It is easy to check 
that these form a pair of adjoint functors and that Q is indeed a semantic LP 
doctrine. Therefore, we can compute a fixpoint semantics. 

If C is the algebraic category freely generated by an empty set of function 
symbols and 2) is a constraint system on real numbers, consider the program 

x'^ = y\3 p{x) f— = y □ q{x, y) 

X = 2j/ □ q{x, y) f— X = 2y □ true 

where p,q and true are predicate symbols of sort (l,Ti), (2,T2) and (0 ,Tq) 
respectively. Here, 0, 1 and 2 denote the sorts of all the goals of the corresponding 
arity. Moreover, we assume there is a constraint T j for each arity i which is 
the top of 23(1), preserved by reindexing functors. Assume we start with the 
interpretation |_] mapping p and <7 to 0 and true to 23(0). Then, by applying the 
Ep operator: 

Ep(I-l)(g) = fqj u 3(^d2,x=2y<T^) lx = 2yO true] 

= (l2,x = 2y)“* [true] (25) 

{x = 2y} 

where l2 is the unique arrow from 2 to 0. We also have Ep(|_|)(p) = 0. At the 
second step 

Ep(I-l)(p) = Ep(|_|)(p) U3(,,2_,,2=y<Ti)Ep(|_|)(x2 = yOq{x,y)) 

= ^(7vlx^=y<Tr)(.id2,x‘^ = y< T 2 ) “ Ep (|_|) (|g]) ^ 26 ) 

= ^(^lx^=y<Tr) i{x'^ = y and X = 2y} 

=], {x = 0 or X = 1/2} 

where nf is the projection arrow from 2 to 1. Moreover, Ep(|_|)((7) = Ep(|_])((7) 
and we have reached the fixpoint. 
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8 Conclusions 

We have introduced a categorical framework to handle several extensions of logic 
programming, based on Horn clauses, but interpreted in a context which is not 
necessarily the Herbrand universe. Typical examples of these languages are CLP 
m and logic programs with built-in or embedded data types |20| . 

With respect to the stated intentions in Section II. IL we have not tackled 
the problem of programs with constraints on goals when it comes to fixpoint 
semantics. From this point of view, the only advantage offered by our framework 
is the ability to treat builtins. Goals whose semantics can be modified by clauses 
(i.e. dynamic goals) must be freely generated as in [13]. 

Our categorical structures capture pure clausal programs but require the 
addition of monoidal structure to handle conjunctions of categorical predicates 
externally. But the addition of monoidal structure is straightforward, and is 
described in detail in jT]. 

We briefly sketch the main ideas. We use monoidal LP doctrines, i.e. LP 
doctrine endowed with a monoidal structure for each fiber which is preserved 
on the nose by reindexing functors. Given monoidal LP doctrines IP and Q, 
a monoidal interpretation is an interpretation (f, r) : T — >■ Q such that 
preserves on the nose the monoidal structure. This condition means that the 
semantics of the conjunction is given compositionally. A monoidal model for 
(P, T) is a monoidal interpretation together with a choice function l for the 
clauses in P. We also define a monoidal derivation in the same way as we have 
done in section |4[ but the backchain-clause rule is replaced with the following: 

G (27) 

if Hd T1 is a clause, 0 is the monoidal tensor and r'^G = Gi 0 0 G 2 . 

Again, if we define an appropriate equivalence relation on monoidal derivations, 
we can build a free monoidal model. Finally, for the fixpoint semantics, every- 
thing proceeds as for Section E] provided that we use monoidal semantic LP 
doctrines, i.e. a monoidal LP doctrines with the same properties which hold for 
semantic LP doctrines. We just need to add a pair of conditions to the definition 
of and 5'^ in (H3 and m, namely, 

r;(Gi G 2 ) = r;(Gi) ® TUG 2 ) , (28) 

'^ct,CJi 0G2 = '^cr.Gi ® '^ct,G2 ■ (2^) 

Together with the goal-free condition, we also require that clauses only have 
atomic goals as heads. Then, all the results we have shown in this paper also 
hold for the monoidal case. 

Finally, note that we can use weaker structure on the fibers, like premonoidal 
structures, to give an account of selection rules [T]. 
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Abstract. Finite failure of computations plays an important role as 
programming construct in the logic programming paradigm, and it has 
been shown that this also extends to the case of the functional logic pro- 
gramming paradigm. In particular we have considered CRWLF, a previ- 
ous proof-theoretic semantic framework able to deduce negative (failure) 
information from functional logic programs. The non-deterministic na- 
ture of functions considered in CRWLF leads naturally to set- valued 
semantic description of expressions. Here we reformulate the framework 
to stress that set flavour, both at syntactic and semantic levels. The 
given approach, for which we obtain equivalence results with respect to 
the previous one, increases the expressiveness for writing programs and 
(hopefully) clarifies the understanding of the semantics given to non- 
deterministic functions, since classical mathematical notions like union 
of sets or families of sets are used. An important step in the reformu- 
lation is a useful program transformation which is proved to be correct 
within the framework. 



1 Introduction 

Functional logic programming {FLP for short) [7] is a powerful programming 
paradigm trying to combine into a single language the nicest features of both 
functional and logic programming styles. Most of the proposals consider some 
kind of constructor-based rewrite systems as programs and use some kind of 
narrowing as operational mechanism. There are practical systems, like Curry [S] 
or TOy [IT], supporting most of the features of functional and logic languages. 

There is nevertheless a major aspect of logic programming still not incorpo- 
rated to existing FLP proposals. It is negation as failure, a main topic of research 
in the logic programming field (see |1] for a survey), and a very useful expressive 
resource for writing logic programs. 

There have been a few works devoted to this issue. In mm the work of 
Stuckey m about constructive negation is adapted to FLP, in strict and lazy 
versions. A different approach has been followed in where a Constructor 
Based i?eIFriting Logic with Failure {CRWLF) is proposed as a proof-theoretic 
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R. Nieuwenhuis and A. Voronkov (Eds.): LPAR 2001, LNAI 2250, pp. 455 44691 2001. 
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semantic framework for failure in FLP. Starting from CRWL |5I6J . a well estab- 
lished theoretical framework for FLP including a deduction calculus for reduc- 
tion, CRWLF consists of a new proof calculus able to prove (computable cases 
of) failure of Ci^FFi^provability corresponding to ‘finite failure’ of reduction. 
The non-deterministic nature of functions considered in CRWL and CRWLF 
leads naturally to set-valued semantic description of expressions. In this paper 
we reformulate the framework to stress that set flavour, both at syntactic and 
semantic levels. 

The organization of the paper is as follows. We first give some motivations 
and discuss preliminary examples to help the understanding of the paper. Section 
3 presents the CRWLF framework. In Section 4 we define and give correctness 
results for a program transformation which is needed for the rest of the paper. 
In Section 5 we reformulate in a set-oriented manner the CRWLF framework: 
at the syntactic level we introduce set-constructs like unions or indexed unions; 
we present a proof calculus for the new programs; we explain how to transform 
CRWLF -programs into this new syntax, and give a strong result of semantic 
equivalence. 

2 Preliminary Discussion 

• CRWLF and non-deterministic functions: CRWL m models reduction 
by means of a relation e — >■ t, meaning operationally ‘the expression e reduces to 
the term V or semantically ‘f is an approximation of e’s denotation’. The main 
technical insight of CRWLF was to replace the Ci?IkWstatements e — >■ t by the 
statements e <C, where C is what we call a Sufficient Approximation Set (SAS) 
for e, i.e., a finite set of approximations collected from all the different ways of 
reducing e to the extent required for the proof in turn. To prove failure of e 
corresponds to prove e <i {f}, where f is a constant introduced in CRWLF to 
represent failure. 

While each proof of CRWL concentrates on one particular way of reducing e, 
CRWLF obtains proofs related to all the possible ways of doing it. That the two 
things are not the same is because CRWL-programs are not required to be con- 
fluent, therefore defining functions which can be non-deterministic, i.e. yielding, 
for given arguments, different values coming from different possible reductions. 
The use of lazy non-deterministic functions is now a standard programming 
technique in systems like Curry or TOy. 

Non-determinism induces some kind of set- valued semantics for functions and 
expressions. As a simple example, assume the constructors z and s, and consider 
the non-confluent program: 

f(X)=X add{z,Y) =Y 

f{X) = s{X) add{s{X),Y) = s{add{X, T)) 

For each A, f{X) can be reduced to two possible values, X and s(A). The 
expression add{f{z), f{z)) can be reduced in different ways to obtain three pos- 
sible values: z,s{z) and s(s(z)). This set-valued semantics is reflected in the 
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model semantics of CRWL, but not at the level of the proof calculus. CRWL is 
only able to prove separately add{f{z),f{z)) — >■ z, add{f{z),f{z)) — >■ s{z) and 
add{f{z),f{z)) — >■ s(s( 2 ;)) (and partial approximations like add{f{z),f{z)) — ?> 
s(±)). 

In contrast, the calculus of CRWLF is designed to collect sets of values. For 
instance, to prove failure of the expression g(add{f{z), f(z))), when g is defined 
by g(s(s(s(X)))) = z, CRWLF needs to prove add{f{z), f{z))<i{z, s{z), s{s{z))}. 
One of our main interests in the present work has been to reconsider some 
aspects of CRWLF to emphasize this set-minded view of programs. 

• Call-time choice semantics: The semantics for non-deterministic func- 

tions adopted in CRWL is call-time choice |9]. Roughly speaking it means: 
to reduce /(ei,...,e„) using a rule of /, first choose one of the possible val- 
ues of ei,...,e„ and then apply the rule. Consider for instance the function 
double{X) = add(X, X), and the expression double{f {z)) , where / is the non- 
deterministic function defined above. The values for double{f{z)) come from 
picking a value for f(z) and then applying the rule for double, obtaining then 
only two values, z and 5 ( 5 ( 0 )), but not 5 ( 0 ). 

To understand the fact that double{f{z)) and add{f{z),f{z)) are not the 
same in call-time choice, one must think that in the definition of double the 
variable X ranges over the universe of values (constructor terms), and not over 
the universe of expressions, which in general represent sets of values. This cor- 
responds nicely to the classical view of functions in mathematics: if we de- 
fine double{n) = add(n,n) for natural numbers (values), then the equation 
double{A) = add{A, A) is not valid for sets A of natural numbers, according 
to the usual definition of application of a function / to a subset of its domain: 
f{A) = {f{x) I X S A}. In fact, we have double{{0,l}) = {double{x) \ x G 
{0> 1}} = {0: 2}, while add{{0, 1}, {0, 1}) = {add{x, y) \ x G {0, 1}, y G {0, 1}} = 
{0, 1,2} That is, mathematical practice follows call-time semantics. 

The use of classical set notation can clarify the reading of expressions. For 
instance, instead of double{f(z)) we can write double(X). These kind 

of set-based changes in syntax is one of our contributions. 

• Overlapping programs: To write programs in a set-oriented style we find 
the problem that different values for a function application can be spread out 
through different rules. This is not the case of non-overlapping rules, and the 
case of rules with identical (or variant) heads is also not problematic, since 
the rules can be merged into a single one: for the function / above, we can 
write f{X) = {X} U {5(X)|. The problem comes with definitions like l{z,z) = 
0 , l{z,X) = 5 ( 0 ), where the heads overlap but are not variants. To avoid such 
situations Antoy introduces in |3] the class of overlapping inductively sequential 
programs and proposes in [T] a transformation from general programs to that 
format. We consider also this class of programs when switching to set-oriented 
syntax, and propose a transformation with a better behavior than that of [Tj. 
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3 The CRWLF Framework 

The CRWLF calculus that we show here is a slightly modified version of that 
in [12], in two aspects. First, for the sake of simplicity we have only considered 
programs with unconditional rules. Second, in programs were ‘positive’, not 
making use of failure inside them. Here we allow programs to use a ‘primitive’ 
function fails{-) intended to be true when its argument fails to be reduced, 
and false otherwise. This behavior of fails is determined explicitly in the proof 
calculus. 

The function fails is quite an expressive resource. As an application we show 
by an example how to express default rules in function definitions. 

Example 1. In many pure functional systems pattern matching determines the 
applicable rule for a function call, and as rules are tried from top to bottom, 
default rules are implicit in the definitions. In fact, the n+I-th rule in a definition 
is only applied if the first n rules are not applicable. For example, assume the 
following definition for the function /: 

f{z) = z f{X) = s{z) 

The evaluation of the expression f{z) in a functional language (like Haskell 
pA|~), will produce the value z by the first rule. The second rule is not used 
for evaluating f{z), even if pattern matching would succeed if the rule would 
be considered individually. This contrasts with functional logic languages (like 
Curry i] or Toy [TT]) which try to preserve the declarative reading of each 
rule. In such systems the expression f{z) would be reduced, by applying in a 
non-deterministic way any of the rules, to the values z and s(z). 

To achieve the effect of default rules in FLP, an explicit syntactical construc- 
tion ’default’ can be introduced, as suggested in m- The function / could be 
defined as: 

f{z) = z 

default f{X) = s(z) 

The intuitive operational meaning is: to reduce a call to / proceed with the 
first rule for /; if the reduction fails then try the default rule. Using the function 
ifThen (defined as ifThenftrue, X) = X) and the predefined function fails, we 
can transform the previous definition into: 

f{X) = f'{X) _ 

f{X) = ifThen{faMf{X)),s{z)) J ~ z 

This definition achieves the expected behavior for / without losing the equa- 
tional meaning of rules. 

3.1 Technical Preliminaries 

We assume a signature E = DC sCFSsC{ fails} where DCs = UneiN is a 
set of constructor symbols containing at least true and false, FSs = UneiN 
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is a set of function symbols, all of them with associated arity and such that 
DCsr\FSs = 0, a,nd fails ^ DCUFS (with arity 1). We also assume a countable 
set V of variable symbols. We write Terms for the set of (total) terms (we say 
also expressions) built over S and V in the usual way, and we distinguish the 
subset CTerms of (total) constructor terms or (total) cterms, which only make 
use of DCs and V. The subindex E will be usually omitted. Terms intend to 
represent possibly reducible expressions, while cterms represent data values, not 
further reducible. 

We will need sometimes to use the signature Es which is the result of ex- 
tending E with the new constant (0-arity constructor) T, that plays the role of 
the undefined value. Over i7j_, we can build the sets Terms and CTerms of 
(partial) terms and (partial) cterms respectively. Partial cterms represent the re- 
sult of partially evaluated expressions; thus, they can be seen as approximations 
to the value of expressions. The signature Es,f results of adding to E± a new 
constant f, to express failure of reduction. The sets Termss and CTermss are 
defined in the natural way. 

We will use three kind of substitutions CSubst, CSubst± and CSuhsts,? de- 
fined as applications from V into CTerm, CTerm± and CTerms,f respectively. 

As usual notations we will write A, Y, Z, ... for variables, c, d for constructor 
symbols, f,g for functions, e for terms and s,t for cterms. In all cases, primes 
(’) and subindices can be used. 

Given a set of constructor symbols D, we say that the terms t and t' have an 
D-clash if they have different constructor symbols of D at the same position. 

A natural approximation ordering C over Terms, f can be defined as the least 
partial ordering over Terms, f satisfying the following properties: 

• T C e for all e G Terms,?, 

• h{e\, ..., e„) Q h{e[, ..., e'^), if e* C e' for all i G {1, ..., n}, h G DC U FS U 

{fails} U {f} 

The intended meaning of e C e' is that e is less defined or has less information 
than e! . Notice that according to this f is maximal. Two expressions e, e' G 
Terms,? are consistent if there exists e" G Terms.? such that e C e" and 
e' C e".’ 

We extend the order C and the notion of consistency to sets of terms: given 
C,C G CTerms,?, C Cl C' if for alH G C there exists t' G C with t Ct' and for 
all t' G C there exists t G C with t Q t'. The sets C,C are consistent if there 
exists C" such that C C C" and C C C" . 

A CRIFXf -program P is a set of rewrite rules of the form /(t) — >■ e, where 
/ G T’S'"; t is a linear tuple (each variable in it occurs only once) of cterms; 
e G Term and var{e) C varft). We say that /(t) is the head and e is the body of 
the rule. We write Vf for the set of defining rules of / in V. 

To express call-time choice, the calculus of the next section uses the set of 
c-instances of a rule R, defined as [i?]_L,F = [R9 \ 0 G CSubsts,?}- 
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3.2 The Proof Calculus CRWLF 

The proof calculus CRWLF defines the relation eoC where e S Term±^f and 
C C CTerm± f] we say that C is a Sufficient Approximation Set {SAS) for the 
expression e. A SAS is a finite approximation to the denotation of an expression. 
For example, if / is defined as f{X) — >■ A, /(A) — )> s(A), then we have the sets 
{_L}, {z,-L}, { 2 ;,s(_L)}, {_L,s(_L)}, {_L,s(z)} and {z,s{z)} as finite approxima- 
tions to the denotation of f{z). 



Table 1. Rules for CRWLF-pTovability 



( 1 ) 



e<{_L} 



e G Termj^ f 



(2) 



A<{A} 



A G V 



. . Cl <1 dl ... Cn Cn 

c(ei, ..., e„) <1 {c{t) I t G Cl X ... X C„} 



c G OC" U {f} 



(4) 



Cl O Cl ... Cn C„ ... fit) 

/(ei, ..., e„) 0 MdJflg-PyjgCi x...xc„ 



/ G FS" 









/(ti,...,M<« {F} 



F = (/(si, ..., s„) — >■ e),ti and Si have a 
DC U {F}-clash for some i G {1, ..., n} 



(8) 



e<{F} 

fails (e) <1 {trite} 



(9) 



e <iC 

fails{e) < {false} 



t G C,t A -L,t A 



Rules for CRWLF -provability are shown in Tabled Rules 1 to 7 are the 
restriction of the calculus in m to unconditional programs. Rules 8 and 9 define 
the function fails according to the specification given in Sect. El 

The auxiliary relation <1^ used in rule 4 depends on a particular program 
rule R, and is defined in rules 5 to 7. The function /i in rule 4 is a simplification 
function for SAS's to delete irrelevant occurrences of f. It is defined as f(({F}) = 
|f}; p{C) = C — |f} otherwise (see [E] for a justification). 

Given a program V and an expression e, we write V \~crwlf e<iC to express that 
the relation e < C is provable with respect to CRWLF and the program V. The 
denotation of e is defined as = (C | F \-crwlf eoCj. Notice that the deno- 

tation of an expression is a set of sets of partial values. For the function / above 
we have I/(^)]” = {{A}, (z, A}, (z, s(A)|, (A, s(A)|, (A, s(z)|, (z, s(z)}} 

The calculus CRWLF verifies the following properties: 

Proposition 1. Let V be a CRWLF-program. Then: 
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a) Consistency of SAS’s: V \~crwlf e<C,e<iC' => C and C are consistent. 
Moreover, there exists C" such that V \~crwlf e<C", with C C C" and C C C" . 

b) Monotonicity: e □ e' and V \~crwlf e<\C ^ P \~crwlf e' <i C 

c) Total Substitutions: V \~crwlf e<C ^ P \~crwlf eO <C6, for 9 G CSubst. 

These properties can be understood in terms of information. As we have seen, 
in general we can obtain different SAS's for the same expression corresponding to 
different degrees of evaluation. Nevertheless, Consistency ensures that any two 
SAS’s for a given expression can be refined to a common one. Monotonicity says 
that the information that can be extracted from an expression can not decrease 
when we add information to the expression itself. And Total Substitutions 
shows that provability in CRWLF is closed under total substitutions. 

4 Overlapping Inductively Sequential Programs 

In [ 3 j, Antoy introduces the notion of Overlapping Inductively Sequential pro- 
grams ( OlS-programs) based on the idea of definitional trees | 2 ]. We give here 
an equivalent but slightly different definition. 

Definition 1 (OIS-CRWLF-Programs). A CRWLF-program is called over- 
lapping inductively sequential if every pair of rules ffti) — >■ ei,/(f2) — >■ 62 sat- 
isfies: the heads f{ti) and /(I2) are unifiable iff they are the same up to variable 
renaming. 

We next see that every Oi? WLf-program can be transformed into a seman- 
tically equivalent OIS-CRWLF-pvogv&ur. 

4.1 Transformation of CUWXT'-Programs into OIS-CRWLF- 
Programs 

We need some usual terminologies about positions in terms. A position rt in a 
term e is a sequence of positive integers pi- ... -pm that identifies the symbol of e 
at position u. We write VP{e) for the set of positions in e occupied by variables. 
We say that a position u is demanded by a rule f(t) — >■ e if the head f(t) has a 
constructor symbol of DC at position u. Given a set of rules Q and a position 
u, we say that u is demanded by Q if m is demanded by some rule of Q, and we 
say that u is uniformly demanded by Q if it is demanded by all rules of Q. 

Definition 2 (Transformation of Sets of Rules). The transformation algo- 
rithm is specified by a function Z\(Q, /(s)) where: 

— Q = {{f(ti) ei), ..., if (in) e„)} 

— f(s) a pattern compatible with Q, i.e., s is a linear tuple of cterms and 
for all i G { 1 , ...,n}, f(s) is more general than f{ii) (i.e., s9 = ii, for some 
0 G CSubst). 



A is defined by the following three cases: 
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1. Some position u in VP{f{s)) is uniformly demanded by Q (if there 
are several, choose any). 

Let X be the variable at position u in f(s). Let C = {ci, ...,Cfc} be the set of 
constructor symbols at position u in the heads of the rules of Q and 3^ = 
's[X / Ci(Y)], where Y is a m-tuple of fresh variables (assuming Ci G DC^). 
For each i G {1, k} we define the set as the set of rules ofQ demanding 
Ci at position u. 

Return Z\(Qci , /(scj) U ... U Z\(Qcfc , /(scj) 

2. Some position in VP{f(s)) is demanded by Q, but none is uniformly 
demanded. 

Let Ml, ...,Mfc be the demanded positions (ordered by any criterion). Consider 
the following partition (with renaming of function names in heads) over Q: 

• Let be the subset of rules of Q demanding position Ui, where the 

function symbol f of the heads has been replaced by /“% and = Q — . 

• Let be the subset of rules of demanding position U 2 , where the 
function symbol f of the heads have been replaced by /“^ and let 2 “^ = 
Q“i — Q“2 . 



• Let 2“'“ be the subset of rules Q^^-i demanding position Uk, where the 
function symbol f of the heads have been replaced by . 

• And let be the subset of rules of Q that do not demand any position. 

Return U {/(s) /“^(s), ..., /(s) X’‘(s)} U /“^(s)) U ... U 



3. No position in VP{f{s)) is demanded by Q, then Return Q 

The initial call for transforming the defining rules of / will be A{V f , f (X)) , 
and a generic call will have the form A{Q, f^ (s)), where Q is a set of rules and 
f^{s) is a pattern compatible with Q. We illustrate this transformation by an 
example: 

Example 2. Consider the constants a, b and c and a function defined by the set of 
rules Pf = {f{a, X) — >• a, f{a, b) — >■ b, f{b, a) — >■ a}. To obtain the corresponding 
OLS-set of rules the algorithm works in this way: 

A{{f{a, X) ^ g, /(g, b) ^ b, f{b, a) ^ a}, f(Y, Z)) = 

by 1 

A{{f{a, X) ^ a, fia, b)^b}, f(a, Z)) U A{{f{b, a) ^ a}, f{b, Z)) = 

^ ^ ^ ^ ^ 
by 2 by 1 

{/(a, X) ^ a} U {/(a, Z) ^ f{a, Z)} U A{{f{a, b) ^ b}, f(a, Z)) U 

' „ ^ 

by 1 

A{{f{b,a) a},f{b,a)) = 

by 3 

{f{a,X) a}u{f{a,Z) f{a,Z)}uA{{f{a,b) b}, f{a,b))u{f{b,a) a} = 




Functional Logic Programming with Failure: A Set-Oriented View 



463 



{/(tt, A) ^ a} U {f{a, Z) ^ f{a, Z)} U {f{a, b) ^ b} U {/(&, a) ^ a} = 

{/(o,A) ->■ a,f{a,Z) p{a,Z), f{b,a) a,f{a,b) 6} 

Our transformation is quite related to the actual construction of the defi- 
nitional tree |2ll0j of a function. A different algorithm to obtain an OlS-set of 
rules from a general set of rules is described in [l]. For the example above, such 
algorithm provides the following set of rules: 

f{X,Y)^ MX,Y)\ MX,Y) /2(fo,a)^a 

where the symbol ‘|’ stands for a choice between two alternatives. This trans- 
formed set is worse than the one obtained by our transformation: for evaluating 
a call to / it begins with a search with two alternatives fi and / 2 , even when 
it is not needed. For example, for evaluating /(&, a), it tries both alternatives, 
but this reduction corresponds to a deterministic computation with the original 
program and also with our transformed one. The situation is clearly unpleasant 
if instead of b, we consider an expression e with a costly reduction to b. 

Definition 3 (Transformation of Programs). Given a CRWLF-program V 
we define the transformed program A(P) as the union of the transformed sets of 
defining rules for the functions defined in V . 

It is easy to check that A{V) is indeed an OZS-Ci? FFLF-program, and that 
AifP) = P if P is already an OIS-CRWLF-pYOgram. 

Theorem 1 (Correctness of the Transformation). For every CRWLF- 
program V, A{V) is an OIS-CRWLF-program satisfying: for every e € Term±^p 
built over the signature ofV, V \~crwlf e<C A(fP) \~crwlf e<C. 

5 A Set Oriented View of CRWLF: CRmF 

In this section we introduce the notion of sas-expression as a syntactical con- 
struction, close to classical set notation, that provides a clear “intuitive seman- 
tics” for the denotation of an expression. 

5.1 Sas-Expressions 

A sas-expression is intended as a construction for collecting values. These val- 
ues may either appear explicitly in the construction or they can be eventually 
obtained by reducing function calls. Formally, a sas-expression S is defined as: 

^ I Uxe/(t)'^l I UxG/ai;s(Si) *^2 I Uxg5i *^2 | 5i U ^2 

where t G CTerm^ f, t £ CTerm±^f x ... x CTerm±^f, f £ FS'" and 5i,^2 are 
sas-expressions. 

The variable X in 1 Jxg5i *^2 is called a produced variable. We can define 
formally the set pvar{S) of produced variables of a sas-expression S as: 
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- pvar{{t}) = 0 

- = {X}Upuar(5) 

- pwar(Uxe/aiJs(5i)‘52) = {X} Upwar(5i) Upwar(52) 

- pvar{[j^^g^ S 2 ) = {X} Upwar(5i) Upvar{S 2 ) 

- pvar{Si U ^ 2 ) = pvar{Si) U pvar{S 2 ) 

A sas-expression S is called admissible if it satisfies the following properties: 

- if 5 = 5i U ^2 then it must be (var{Si) — pvar{Si)) C\ pvar{S 2 ) = 0, and 
conversely {var{S 2 ) — pvar{S 2 )) D pvar{Si) = 0. The aim of this condition 
is to express that a variable can not appear in both 5i and S 2 as produced 
and as not-produced variable. 

- if 5 = then X ^ var(r) U pvar{S) and var{r) C\pvar{S) = 0 

In the following we write SasExp for the set of admissible sas-expressions. 
We now define substitutions for non-produced variables. 

Definition 4 (Substitutions for Sas- Expressions). Given S G SasExp, 
Y ^ pvar{S) and s G CTerm_\_,F, the substitution 5[F/s] is defined on the 
structure of S as: 

- {t}[Y/s] = {t[Y/s]} 

~ (Ujce/(t) = UxG/(t)[v/s] 

“ (UxG/oiis(5i) '^2)[i^/s] = UxG/a*is(5i[V/d) 

“ (Uxg5i '^ 2)[i^/s] = Uxg5i[X/s] 

- {Si U 52)[T/s] = 5i[y/s] U S2[Y/s] 

The expression S9, where 9 = [Yi/si]...[Yfc/sfe], stands for the successive 
application of the substitutions [Yi/si], ..., [Yfc/sfc] to S. 

We will also use set-substitutions for sas-expressions: given a set C = 
{si, ..., s„} G CTerm± p we will write S\Y/C] as a shorthand for the distribution 
S[Y/si]U...US[Y/s„]. 

In order to simplify some expressions, we also introduce the following nota- 
tion: given h G Z?C” U FS^ and C = {ti,...,tm} C CTerm±,f, we will write 
/i(ei, ..., ei_i,C, Ci+i, ..., Cn) < C' as a shorthand for C' = Ci U ... U Cm, where 
h{ci , ..., e^—i, ti, ..., Cn') <1 Ci,..., h{e ±, ..., Cj—i, tm, ^n) ^ Cm- will 

also use a generalized version of this notation and write h{C\, ...,C„) <iC, where 
C\,...,Cn G CTermx,?. 

5.2 Terms as Sas-Expressions 

In this section we precise how to convert expressions into the set-oriented syntax 
of sas-expressions. 

Definition 5 (Conversion into Sas-Expressions). The sas-expression e cor- 
responding to e G Termx.F is defined inductively as follows: 
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- 

- c(ei,...,e„) = UxiGei -,Xn)}, for every c & DC"U{_L,f}, 

where the variables X\, are fresh. 

- /(ei,...,e„) = UxiGei -Ux„Gg;iUxG/(Xi.....x„){^}> for every f e FS^, 

where the variables Xi, and X are fresh. 

- fails(e) = [jx£faUs{T){^}> "where the variable X is fresh. 

As an example of conversion we have 

double{f{X)) = Uyg/^) [Jz&douMe(Y){Z} = 

UYGUri£{x} Ur2e/(Xi){y2} l^Zsdouble{Y)i^} 

This expression could be simplified to the shorter one Uyg/(x) UzGdouWe(Y){^}’ 
but this is not needed for our purposes and we do not insist in that issue. 

The set-based syntax of sas-expressions results in another benefit from the 
point of view of expressiveness. The notation S' is a construct that binds 

the variable X and generalizes the sharing-role of (non-recursive) local defini- 
tions of functional programs. For instance, an expression like Uyg/(x){'^(^’ 
expresses the sharing of f{X) through the two occurrences of Y in c{Y, Y). The 
same expression using typical let notation would be let Y = f{X) in c(Y,Y). 



5.3 Denotational Semantics for Sas-Expressions: CRWLF 

In this section we present the proof calculus CRWLF for sas-expressions. This 
calculus is defined for programs with a set oriented notation. The idea is to start 
with a Ci? FFLE-program V, transform it into an OIS-CRWLF-pTOgra,m A{V) 
and then, transform the last into a C'iJIFXF-program A{V), obtained by joining 
the rules with identical heads into a single rule whose body is a sas-expression 
obtained from the bodies of the corresponding rules. We have proved in Sect. |4] 
that the first transformation preserves the semantics. In this section we prove 
the same for the last one, obtaining then a strong equivalence between CRWLF 
and CllWLF. 

Definition 6 ( Ci? WXE-Programs). A CRWLF- Program V is a set o/ non- 
overlapping rules of the form: f(t) — » S, where f S FS"; t is a linear tu- 
ple (each variable occurs only once) of cterms; s G SasExp and (var{S) — 
pvar{S)) C var(t). Non-overlapping means that there is not any pair of rules 
with unifiable heads in V . 

According to this definition, it is easy to obtain the corresponding CRWLF- 
program V from a given OLS-CRWLF-piogia,m V: 

V = {fit) ^ Cl U ... U Cn \ fit) ^ ei, ..., f it) ^ Cn € V 

and there is not any other rule in V with head f{t)} 
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Table 2. Rules for CRfFI/F-provability 





(3) 



t\ 0 tfi 0 Cri 



c ^ DC U{f} 



tn)} <1 {c{t') \ t' £ Cl X ... X Cn} 




S' < C S[X/C] <1 c 



(/© - 5') G [P]x,F 



5[X/f] < C for all (/(si, ^ 5') e P, 

Ux6/(t) 5 <1 C ti and Si have a DC U {F}-clash for some i € {1, n} 

S^ <1 frf So\ X /tn/.p] < C 



The non-overlapping condition is guaranteed because we join all the rules 
with the same head (up to renaming) into a single rule. 

Table [2] shows the rules for Ci? IFXT'-provability. Rules 1, 2 and 3 have 
a natural counterpart in CRWLF. For rule 4 we must define the set of c- 
instances of rules of the program: ['P]j_,f = {RS \ R = {f{t) S) £ P and 
9 G CSubst±,f |„or(t)}- The notation CSubst±^f \var(i) stands for the set of 
substitutions CSubst±,p restricted to var{t). As varit) C\pvar{S) = 0 the sub- 
stitution is well defined according to Definition [H 

Notice that rule 4 uses a c-instance of a rule, and this c-instance is unique 
if it exists (due to the non-overlapping condition imposed to programs) . If such 
c-instance does not exist, then by rule 5, the corresponding expression reduces 
to F. Rules 6 and 7 are the counterparts of 8 and 9 of CRWLF. Finally, rules 8 
and 9 are due to the recursive definition of sas-expressions and have a natural 
reading. 

Given a CRFFTF-program P and S G SasExp we write P 5 <i C if 

the relation 5 < C is provable with respect to CRWLF and the program V. The 
denotation of S is defined as = {C | 5 < C}. 

Example 3. Assume the OZS'-CRRXF'-program: 





5i<C' S 2 \X/ false] <C 



there is some t £ C' ,t ^ L,t F 



Si<C 52 [X/C']<iC 
UxgSi < C 



< Cl 52 <1 C2 
'' '' 5i U52 <iCi UC 2 



add{z,Y) ^ y 
add\s{X),Y) s{add{X,Y)) 



double{X) add(X, X) 




f{X) ^ s(A) 



The corresponding CRWLF-program V is: 
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add{z,Y) ^ {V} 

add\s{X),Y) UAeUB6{x}Uce{v'}UDeadd(B,c){^}^'*(^)^ 
double{X) -» Uag{x} UsG{x} Uceodd(A,s){*^} 

f{X) - WuUag{x}{K^)} 

Within CRWLF we can prove double{f{z))<i{z, s(s(z))}, and within CRWLF we 

can obtain the same b'Ab' by proving double{f{z)) < {z, s(s(2))}. Let us sketch 
the form in which this proof can be done. First, we have: 

double{f{z)) = [JAeUcei.}UDef(c){D}^Bedoubie{A){B} 

By rule 8 of CRWLF this proof is reduced to the proofs: 

Ucg{z} Ur)g/(c)’t^J' ^ (Fi) 

B^double(z) {B} 

Us6dod6ie(s(z)) {5} <1 {z,s(z)} (y>2) 

By rule 8 {(pi) is reduced to the proofs {z} < {z} and Udg/(z){'^} ^ 

The first is done by rule 3 and the other is reduced by rule 4. On the other hand, 
by rule 9 the proof (1^2) can be reduced to the proofs: 

B Gdouble(z) {B} <1 {z} (y>3) U BGdouble(s{z)) {B} < {s{s{z))} {pd 

Both ((^3) and (<^4) proceed by rule 4 in a similar way. We fix our attention in 
((/?4) which, using the rule for double, is reduced to: 

Uags(z) Ui?Gd(2) ^ Ceiadd(A,B) {C} < {s(s(z))} 

and then, by two applications of rule 8 to: UcGaddlsiz) s(z){^} ^ {^('^(■z))}- Now, 
rule 4 uses the first defining rule for add and the proof is reduced to: 

UagI I II II < {s(s(z))} 

By rule 8 it is reduced to: 

UsG{z} UcG{s(z)} ^Deadd(B,C) {D}<{s(2)} (y>s) {s(s(z))} <{s(s( 2 ))} (pa) 

The proof (pe) is done by successive applications of rule 3 and (1^5) is reduced 
by rule 8 (twice) to Ui)God(i(z s(z)){-^} ^ This last proceeds by applying 

the first defining rule of add by means of rule 4. 



5.4 CRWLF & CR^F 

We show here the strong semantic equivalence between CRWLF and CRWLF. 

Lemma 1 (Semantic Equivalence of CRWLF and CRWLF). Let V be 

an OLS-CRWLF-program and P be the corresponding CRWLF-program. Let e € 
Term±p ande€ SasExp be the corresponding sas- expression. Then 
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V ^CRWLF e<\C l“cwiF e <1 C. 

As a trivial consequence of this lemma, we arrive at our final result: 

Theorem 2. Let V he a general CRWLF-program and A(T^) be the eorrespond- 
ing CRWLF-program. Let e be an expression built over the signature ofV ande 
be the eorresponding sas-expression. Then: V \~crwlf e<i C <t4- A{V) l-gwij. e <1 C. 

As a consequence, denotations of expressions are preserved in the transfor- 
mation process, i.e., (referred to V and A{V), respectively). 

So, the properties about consistency, monotonicity and substitutions of Prop. H] 
are preserved in CRWLF when considering expressions and the corresponding 
sas-expressions. 

6 Conclusions 

We have extended and reformulated CRWLF m, a proof-theoretic framework 
designed to deduce failure information from positive functional logic programs 
(i.e., programs not making use of failure inside them). To allow programs the 
use of failure, we have introduced a built-in function fails(L), and extended the 
proof calculus to deal with it. 

We have discussed the declarative meaning of functions defined in programs. 
Since functions can be non-deterministic, they are in general set-valued. Each 
rule in the program defines (partially, since there can be more rules) a function 
as a mapping from (tuples of) constructor terms to sets of constructor terms. If 
we try to re-write the defining rules of a function / to express directly which is 
the value (set of constructor terms) of applying / to given arguments, we face 
the problem that this set can be distributed among different overlapping rules. 
To overcome this problem we have considered the class of overlapping induc- 
tively sequential programs in which overlapping rules are always variants. We 
have defined a transformation of general programs into such kind of programs 
and proved that the transformation preserves the semantics, which constitutes 
itself an interesting application of the developed formal framework. Our trans- 
formation behaves better than that proposed in [Tj , if the transformed program 
is going to be used in existing systems like Curry [H| or 'FOy HD. 

To stress the set-theoretic reading of programs, we have introduced set- 
oriented syntactic constructs to be used in right hand sides of rules, like set 
braces, union of sets, or union of indexed families of sets. This provides a more 
intuitive reading of programs in terms of classical mathematical notions, close 
to the intended semantics. As additional interesting point of this new syntax, 
indexed unions are a binding construct able to express sharing at the syntactic 
level, playing a role similar to local (let or where) definitions. As far as we know, 
this is the first time that some kind of local definitions are incorporated to a 
formal semantic framework for functional logic programming. 

Our last contributions have been a transformation of overlapping inductively 
sequential programs into programs with set-oriented syntax, and a specific proof 
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calculus for the latter, by means of which we prove that the transformation 
preserves the semantics of programs. Apart from any other virtues, we have 
strong evidence that these new set-oriented syntax and proof calculus are a 
better basis for an ongoing development of an operational (narrowing based) 
semantics and subsequent implementation of a functional logic language with 
failure. 
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Abstract. In this paper we compare the expressive power of various 
fixed-point logics on linear or dense order constraint databases. This 
comparison is not done on absolute terms, i.e. by comparing their ex- 
pressive power for arbitrary queries, rather for definability of partially 
recursive queries. The motivation for choosing this benchmark comes 
from fixed-point logics as query languages for constraint databases. Here, 
non-recursive queries are of no practical interest. 

It is shown that for linear constraint databases already transitive closure 
logic is expressive enough to define all partially recursive queries, i.e., 
transitive-closure logic is expressively complete for this class of databases. 
It follows that transitive-closure, least, and stratihed fixed-point logic are 
equivalent with respect to this benchmark. 



1 Introduction 

Logics and query languages allowing the definition of fixed-points of definable 
operators have a long tradition both in (finite) model theory and database theory. 

In finite model theory, the interest in fixed-point logics comes from questions 
connected with the definability or description of computations in logical for- 
malisms. To obtain logics strong enough to describe properties interesting from 
a computational point of view, extensions of first-order logic by operators to de- 
fine fixed-points have been considered. Among the logics obtained in this way are 
transitive-closure logic (FO(TC)), which extends first-order logic by an operator 
to define the transitive closure of definable graphs, and least fixed-point logic 
(FO(LFP)), which extends first-order logic by an operator to define the least 
fixed-point of operators defined by positive formulae. We give precise definitions 
of these logics in Section [21 

Query languages incorporating fixed-point concepts have also been studied 
in database theory. Here, the fixed-point constructs have not been added to full 
first-order logic but to conjunctive queries instead. To obtain more expressive 
logics than this query language, called Datalog, database theorists incorporated 
negation in various ways. One of these extensions is Stratified Datalog, where 
negation is allowed in a limited way. Stratified Datalog plays a rather prominent 
role in database theory as it has a good balance between expressive power and 
complexity. 
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Once the logics and query languages had been defined, it became obvious 
that fixed-point logics had corresponding Datalog variants and vice versa. For 
instance, Datalog is a logic equivalent to existential fixed-point logic (FO(EFP)), 
the restriction of least fixed-point logic to existential formulae. 

Generally, it is clear that FO(TC) C FO(SFP) C FO(LFP) and, further, 
that FO(EFP) C FO(SFP), where FO(SFP) is equivalent to Stratified Datalog]. 
Further, FO(TC) and FO(EFP) are incomparable. Whether these inclusions are 
strict depends on the kind of structures under consideration. It has been shown, 
that on arbitrary structures all inclusions are strict. The standard example sep- 
arating FO(SFP) and FO(LFP) is the property of a binary relation of being a 
well-ordering. See m for a very recent survey on fixed-point logics. 

On finite structures, the situation depends on whether an ordering is avail- 
able. If the structures are ordered, FO(SFP) and FO(LFP) coincide with Ptime 
and, if the order is given by a successor relation, the same is true for FO(EFP). 
Whether FO(TC) and FO(LFP) have the same expressive power on finite or- 
dered structures depends on whether NLogspace equals Ptime. See IEF95I for 
an extensive study of these questions on finite structures. 

In [Ko191 ] . Kolaitis showed that on unordered finite structures FO(SFP) is 
strictly weaker than FO(LFP). To prove this he used so-called game trees which 
can be defined in FO(LFP) but not in FO(SFP). 

In this paper we are mainly interested in the expressive power of transitive- 
closure logic, stratified Datalog, and least fixed-point logic in the context of con- 
straint databases (See |KLP00| for a detailed overview of constraint databases.) 
We give a precise definition of constraint databases in the next section. These 
structures lie somewhere between finite and arbitrary infinite structures. They 
usually have an ordering on their universe available, so that the separation meth- 
ods for finite structures do not work, but on the other hand the database relations 
often provide too much structure to use the methods that work on general infi- 
nite structures. The problem here is, that - classically - logics are separated by 
showing that a class of structures with certain properties is definable in one logic 
but not in the other. In the constraint setting, the context structure is fixed in 
advance, whereas the relations that vary are first-order definable and thus have a 
rather simple structure. However, it can still be shown that on many interesting 
context structures, least fixed-point logic is more expressive than, for instance, 
stratified Datalog. 

So far, much work on fixed-point logics in the context of constraint databases 
has focused on syntactic variants defined with regard to certain properties of the 
resulting languages, as polynomial time complexity, see e.g. |GK97IKre01| . or 
termination, see e.g. IGKOOI . Further, the logics have been considered in terms 
of absolute definability, i.e., the main question was whether there are relations 
or properties definable in one logic but not in another. 

Besides this classification, the expressive power can also be measured with 
respect to a fixed benchmark. This approach is taken here, where we consider 

^ Actually, FO(SFP) stands for stratified fixed-point logic, a name that will become 
clear later. 
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constraint databases over the real ordered group (M, <,+). As benchmark we 
take the class of partially computable queries. Precisely, we investigate which 
portions of this class of queries are definable in each of the logics mentioned 
above. 

The motivation for choosing the class of partially recursive queries as bench- 
mark comes from the use of fixed-point logics as query languages. Someone using 
the logics to ask queries about a given database will only be interested in com- 
putable queries, i.e., those whose evaluation terminates. Thus a query language 
that is more expressive than another only in means of the power to define non- 
recursive queries will not be considered as being expressively stronger. 

When speaking about logics defining partially computable queries we first 
have to specify what it means for a formula to define a computable query. So 
far we only considered the standard model-theoretical semantics of fixed-point 
logics. Formally, the model-theoretical semantics for a logic £ can be seen as a 
function 



mod : e C i — (mod,^ : {A, a) i — V{A*)), 

taking formulae S £ to functions that map a database 05 := (A, cr) to relations 
over its universe. The problem is that the functions mod,^ are not required to 
be computable. Further, in the constraint database setting, the problem arises 
that the resulting relations on A are not necessarily finitely representable in the 
context structure. Therefore, we have to give the logics an operational semantics, 
i.e., a total recursive function 

op : e £ I — S> (op^ : (A,ct) i — V{A*)), 

where the functions op,^ are partially recursive and take databases to finitely 
representable relations. 

Clearly, not every such function can sensibly be called an operational seman- 
tics. One obvious condition that should be satisfied by any operational semantics 
for a logic is, that it is consistent with the model-theoretical semantics, i.e., for 
all databases 05 and formulae ip where op,^(iB) is defined, the two semantics 
should agree on the result, i.e., mod<^(05) = op^(iB). 

Although the consistency condition is a necessary condition, it alone does not 
ensure that the semantics meets our expectations. For instance, the operational 
semantics mapping each formula to the everywhere undefined function would 
trivially satisfy the consistency requirement. 

Thus, besides this consistency criterion also some kind of completeness con- 
dition is needed. Unlike for consistency, there is no canonical definition for an 
operational semantics to be complete. In this paper we take the view that an 
operational semantics for a logic is complete if it is most powerful possible, i.e. 
there is no other operational semantics and no partially computable query which 
is definable in the logic under the second but not under the first semantics. 

In Section 0 we define operational semantics for the fixed-point logics men- 
tioned above which satisfy both, the consistency and the completeness condition. 
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The latter condition will be proved by showing that under the operational se- 
mantics we define for transitive-closure logic, all partially computable queries 
on linear constraint databases become definable in FO(TC). This shows that 
FO(TC) is expressively complete for this class of databases. 

It follows from this that also least and stratified fixed-point logic are ex- 
pressively complete and thus the three logics are equivalent with respect to the 
class of partially computable queries. This equivalence does not hold for exis- 
tential fixed-point logic, where we show that there even exist queries definable 
in first-order logic but not in existential fixed-point logic. 

Finally, in Section 2] we will consider constraint databases over the real line. 
Here it will be shown that the question about the expressive power of fixed- 
point logics can be reduced to the question for finite ordered databases. Thus, 
stratified Datalog and least fixed-point logic have the same expressive power 
and transitive-closure logic is equal to both if, and only if, NLogspace equals 
Ptime. 

2 Preliminaries 

Constraint Databases. Constraint Databases have been introduced by Kanel- 
lakis, Kuper, and Revesz |KKR.90lKKR.95j as a model for infinite relational 
databases that have a finite representation and are therefore accessible to al- 
gorithmic problems. 

Let a signature t and a r-structure 2t be given. Constraint databases are 
defined with respect to this fixed structure 2t. For a finite relational signature 
(T, a a-constraint database 05 over 21, or simply constraint database if a and 21 
are understood or irrelevant, is a cr-expansion of 21 such that for all relation 
symbols R G a there is a quantifier- free formula over 21 defining i?® in 21. In 
these defining formulae elements of the universe may be used as parameters. The 
database relations in cr are called finitely representable or constraint relations. 

In this paper we are specifically interested in linear constraint databases, i.e., 
constraint databases over the structure (M, <,-|-). Thus, linear constraint rela- 
tions are defined by boolean combinations of linear equalities and inequalities. In 
this paper we only allow rational coefficients in these formulae defining database 
relation^. 

Fixed-point logics. As mentioned in the introduction, we are specifically 
interested in the expressive power of transitive-closure and least fixed-point logic 
as well as Datalog and stratified Datalog. We define FO(TC) and FO(LFP) first 
and then turn to the Datalog variants. 

Definition 1 Transitive-closure logic (FO(TC)) is defined as the extension of 
first-order logic by the following formula building rule. If ip (x,y) is a formula 
with free tuples of variables x, y of equal length, then 

^ After all, constraint databases have been defined in order to be finitely representable 
and it is debatable whether formulae with transcendental coefficients could sensibly 
be called finitely representable. 
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Ip := [TCj:^yip]{s,t) 

is also a formula, where s, t are tuples of terms of the same length as x and 
y. The free variables of ip the variables occurring free in s, t and the free 
variables of ip other than x and y. 

Given a structure the semantics of FO(TC) is defined inductively with the 
meaning of the TC-rule being that for some tuples d,b, 2t ^ {[TCx^y p])[d,,b] if, 
and only if, (d,b) is in the transitive closure of the relation {(m, w) : 21 ^ p\u,v\}. 

Note that the result of a formula in FO(TC) on a linear constraint database 
does not have to be finitely representable anymore. For instance, the formula 
p{y) '■= \TGx,yX + 1 = y]{0,y) defines the natural numbers on any linear con- 
straint database. But clearly, the result is not finitely representable. 



Definition 2 Least fixed-point logic FO(LFP) is defined as the extension of 
first-order logic by the following formula building rule. If (p{R,x) is a formula 
with free first-order variables x := xi, . . . ,Xk and a free second-order variable R 
of arity k such that ip is positive in R, then 

V' := [lfPfl,sV5](f) 

is also a formula, where t is a tuple of terms of the same length as x. The free 
variables of ip are the variables occurring in t and the free variables of p other 
than X. 

Given a structure 21, the semantics of FO(LFP) is defined inductively with 
the meaning of the FO(LFP) -rrtZe being as follows. Define the stages R°‘ of an 
fixed-point induction as 



i ?” :=0 

i?«+i :={a : 2t h 
:=Uo<A^“- 

For a given structure 21 and a tuple d € A, the formula [Ifp/j ^ p] becomes 
true for d if, and only if, d € i?“, where a is the least a such that i?“ = 

As p is required to be positive in R such a stage a always exists. 

We now turn to the definition of the Datalog variants. To harmonise notation, 
we will not deal with the Datalog variants directly but consider the corresponding 
fixed-point logics instead. In the case of Datalog this is the well known existential 
fixed-point logic. 



Definition 3 Existential least fixed-point logic is defined as the restriction of 
FO(LFP) to formulae without universal quantifiers and with negation being al- 
lowed only in front of atoms which are not built up from fixed-point variables. 
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For stratified Datalog there are various syntactically different fixed-point 
extensions of FO equivalent to it. We follow the notation introduced by Kolaitis 

in IK5I9TPI 



Definition 4 Stratified Fixed-Point Logic (FO(SFP)) is defined as follows. 

• Let FO(SFP)j^ be defined as existential fixed-point logic. 

• Define FO(SFP)^_|_j^ as the class of existential fixed-point formulae which may 

use literals of the form tfijE), where ip is an FO(SFP); formula with I < i. 

Note that these formulae may occur under the scope of negation symbols. 

Stratified Fixed-Point logic is defined as the union FO(SFP) := FO(SFP)^ 
of all FO(SFP) ■ for i € lo. 

Clearly, FO(SFP) and stratified Datalog have the same expressive power and 
a stratified Datalog program with I strata corresponds to a formula in FO(SFP)j. 
We sometimes write g)] instead of g}\. This happens in cases where 

we compare FO(SFP) and FO(LFP) and want to make it very clear in which 
logic we are. 

It can easily be shown that a formula [TC^^y g)fx, y)] (s, t) of FO(TC) is equiv- 
alent to the FO(SFP)-formula (z = s V 3z' {Rz' A ip{z' ,z)))] {t). Thus, 

FO(TC) C FO(SFP). In fact, it can even be shown that every FO(SFP)-formula 
of the form V 3x' G Rip\fx,x')\(f) such that R does not occur in 

(/?o and (fi is equivalent to a formula in FO(TC), provided that tpo and Lp\ are 
equivalent to formulae in FO(TC). 

It is also clear that FO(SFP) C FO(LFP). 



3 Finitely Representable Expansions of the Real Ordered 
Gronp 

In this section we consider constraint databases over the real ordered group 
(R, <, -b) and show that transitive-closure, least, and stratified fixed-point logic 
define the same class of partially computable queries. This is proven by showing 
that all partially computable queries are already definable in FO(TC). For this, 
we first have to give the logics an operational semantics. 



3.1 Operational Semantics for Fixed-Point Logics 

Throughout this section, we denote by CDB the class of constraint databases over 
(M, <, -b) and by CRel the class of finitely representable relations over (R, <, -b). 
We don’t distinguish between finitely representable relations and their represent- 
ing formulae and denote both by CRel. It will always be clear from the context 
whether the relation or the formula is meant. 

Note that in this paper the logic was called existential fixed-point logic! 
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Definition 5 For a given logic C, an operational semantics opc is defined as a 
total recursive function 

op : if € C I — S> (op^ : CDB — ^ CRel) 

taking formulae ip € C to partially computable functions op^ which take con- 
straint databases over (M, <,+) to representations of finitely representable rela- 
tions over (M, <,+). 

For ip € C we denote by mod^p{^) the set of elements defined by p under the 
model-theoretical semantics for C. An operational semantics op for C is consis- 
tent with the model-theoretical semantics if, and only if, for all formulae p and 
all databases 03 such that op^(^) is defined, mody(iB) = op^(^). 

We now define an operational semantics for transitive-closure logic. This op- 
erational semantics closely resembles the usual definition of the model-theoretical 
semantics. 

Definition 6 (Operational semantics for FO(TC)) For each formula p G 
FO(TC) we define a function op,^ : CDB — > CRel by induction on the structure 
of p. Fix a quantifier elimination procedure for (R, i.e., an evaluation 

schema for first-order queries. 

• If p G FO, define op^(^) := p' , where p' is obtained from p by first substi- 
tuting each occurrence of a database relation symbol by the formula defining 
the relation in 03 and then eliminating the quantifiers using the quantifier 
elimination method fixed above. 

• If p := p\l\p 2 , define opj^(03) as ((op^^(^)) A (op,^^(^B)). For other boolean 
connectives the function op,^ is defined analogously. 

• If p := 3xpi, define op^(^) as the result of applying the quantifier- elimina- 
tion method fixed above to op^^(^). 

• Now suppose that p is of the form p := \TCx,yi^{x,y)]{u,v). We induc- 
tively define formulae ai, i G uj, as follows. Recall that we allowed the use 
of rational numbers as parameters in the formulae. Let I be the indices of 
parameters among u := u\, . . . , Un, i.e., Ui is a constant if, and only if, i G I . 

(i) (To := fi{x,y) A = Xi. 

(a) at+i -.= 3x' afix,x') Afi{x' ,y). 

If there is no j G uj such that aj and (Jj+i are equivalent in iB, then op^(03) 
is undefined. Otherwise let i be the smallest such j and define 

■■= 3x3y{{u = x) A{y = v) A ai{x,y)). 

Finally, we define the operational semantics op for FO(TC) as the function 
taking formulae p to op,^ . 

Observe the difference between this definition of an operational semantics 
and the standard way to define the model-theoretical semantics as outlined in 
Definition |T] in the way the formula (Tq is defined. The conjunct 
reduces the computation of the transitive closure to the computation of all tuples 
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which are reachable from tuples with some fixed components. Thus, by letting 
constants occur in the tuple u one gets some control over the process of building 
up the transitive closure. However limited this control might seem, we will show 
below that it is enough to allow the definition of arbitrary partially computable 
queries over databases from CDB, whereas it seems unlikely that this is also 
possible without this modification. 

It is now an easy observation that the model-theoretical and the operational 
semantics for FO(TC) are consistent. 

Proposition 7 The operational semantics of Definition\^ is consistent with the 
model-theoretical semantics of FO(TC). 



3.2 Expressive Completeness of Transitive Closure Logic 

We now turn to the definability of partially computable queries by formulae of 
FO(TC). 

Definition 8 A partially computable query Q is defined by a formula ip G 
FO(TC) if for all databases *8, Q(iB) is defined if and only if op^(iB) is defined 
and in this case Q(i8) = op^(^). 

We show now that all partially computable functions on constraint databases 
over (K., <, -b) can be defined in FO(TC). The proof runs along the following line. 
We first show that the logic PFOL as introduced by Vandeurzen et. al. IVan99l 
is a subset of FO(TC). This enables us to use the results on finite representa- 
tions definable in PFOL. We then show that the run of Turing-machines can be 
simulated in FO(TC). 

Recall that PFOL was defined as an extension of FO by a restricted form 
of multiplication. Precisely, the logic allows the use of atoms x ■ p = y, where p 
is a so-called product variable. These product variables have to be bound by a 
quantifier 3p G ipp or Vp G Pp, where Pp{x) must be a formula defining a finite 
set. The semantics of a quantifier Qp G Pp is the semantics of Q relativised to 
the set defined by pp. 

To show that PFOL C FO(TC) it suffices to prove that atoms of the form 
X ■ p = y can be defined in FO(TC) by a formula whose evaluation always 
terminates. 

We show that atoms of this form can be defined by a formula mult in FO(TC) 
provided that the formula pp defines a set of rational numbers. In all cases where 
we use PFOL formulae below this will always be true. The formula mult makes 
use of two auxiliary formulae Pnd{p, n, d), stating that n and d are the numerator 
and denominator of the rational number p, and pim{a, b, c), which defines a-b = c, 
provided that b is an integer. 

By the discussion above, we may use quantifiers 3p G Pp in our formulae as 
abbreviation for 3ppp{p), where pp is the unique formula binding p in the PFOL 
formula. 
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The formula ipim is defined as 



[TCx,y,z;a;',y',z' 



X = x' f\y' = y — l/\ 
z' = z + X /\Q < y /\ tpiy) 



]{x,y,0,x,0,z). 



The formula is parameterised by the formula ij) which will be replaced by a 
concrete formula whenever we use ipim below. The idea is, that '0 bounds the 
possible values for y from above, whereas the conjunct 0 < ?/ bounds y from 
below. Thus, if there exists a number c such that ip is not satisfied for any 
c' > c, then the evaluation of ipim is guaranteed to terminate. We abbreviate 
^tm(a,b,c) asa-f b = c. 

We now give the definition of the formula mult and define ipnd below. The 
formula mult is defined as 



mult(a;,p, y) := 3d3n ipnd{p,n,d) A {x - f" n = z ■f‘‘ d), 

where x n = y d is an abbreviation for 3z{x ■f'^n = zAz = y-f'^ d), and 
the formulae ipn and ^pd are defined as (pn{x) '■= 3d3ppnd{p,x,d) and pd{x) '■= 
3n3pipnd{p,n,x). 

Finally, to define Prid we assume a formula j,i' , j') defining a Godel 
enumeration of pairs {i,j) of natural numbers. Using this, we can set 

Pnd{p, n, d) ■— (fip{p) Ad-f^ p = n A 

[TCa;,y,:r',y'-'a; = y •f'’ p A -f{x, y, x', y') ](1, 0, n, d), 

where Pp is the formula binding p in the PFOL formula. 

Recall that the operational semantics above guarantees that the evaluation of 
the TC operator start with the pair 0, 1. The conjunct —<x = y p ensures that 
it terminates once a pair n, d of numerator and denominator for p is reached. 
Thus Pnd defines exactly one pair n, d for each p. As the formula is used only 
for product variables p, it defines a finite set. This ensures that the formula pn 
and pd above define finite sets as well. Thus, for product variables p the formula 
mult(a;,p, y) terminates and defines the set {(a, 6, c) : a - b = c and b G pp}. 

The proof of the following lemma is now straight-forward. 

Lemma 9 Each PFOL formula where all produet variables are bound by formu- 
lae defining sets of rationals only is equivalent to a formula in FO(TC) whose 
evaluation always terminates. 

It has been shown by Vandeurzen |Van99j that there are PFOL queries code 
and decode, such that for a given databases *8 := ((K, <, -|-), S'® ), where S is 
fc-ary, code defines a finite set S®“ C of {k -\- l)-tuples of points in 

and S® can be recovered from this finite encoding by the formula decode, 
i.e., S = {a : (R, <, -f) |= decode(S®“)}. 

As all parameters occurring in the formulae defining the database relations 
are required to be rational, and therefore also all points in the encoding have ra- 
tional coordinates, Lemma[U] implies that such an finite encoding of the database 
relation can also be defined in FO(TC). 
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We now turn to the simulation of the run of a Turing-machine M := {Q, S := 
{0, 1}, <7o, (5, {?/}) computing a given query. Here, Q is the set of states of M, 
U is the alphabet, Qq the initial state, and qf the unique halting state. 5 is a 
set of rules of the form {q,a) — >■ {q',a',m), where q,q' G Q, a, a' G S, and 
m G {—1, 1,0}. Such a rule states that if M is in state q and the head scans 
a position labelled a then M replaces a by a', goes into state q' and moves 
according to m the head to the left, to the right, or not at all. 

We can assume w.l.o.g. that M operates on the encoding of the input 
database as defined above. Further, we assume that the machine halts with 
the head scanning the first position on the tape. 

A configuration of M will be encoded as a tuple {xi,Xr,t, s), where xi and 
Xr are natural numbers encoding the tape content, 0 < t G N denotes the step 
counter, and s contains the current state of the Turing-machine. A tape content 
aoOi . . . a„ will be encoded as follows. Let 0 < p < n be the current head position. 
The inscription qq . . . Up-i of the tape to the left of p is coded inversely, i.e., as 
ttp-i . . . oo, in xi by xi := • ap-i-i. The inscription ap . . .an of the tape 

to the right of p is coded in Xr by Xr := • Op+i. As the machine only 

uses finitely many positions on the tape and all cells which have not been visited 
by the machine are defined to be 0, we can also think of Xr as the infinite sum 

yoo oi 

The run of M will be simulated by the formula pM- We use bold face letters 
qo, Qf , . . . , a, m to denote fixed constants of the Turing-machine, e.g. states qo, 
symbols a of the alphabet, or m. 



Pm ^t3x [TC x,,Xr,t,s; 

cc ^ , X .p, ^ s 



/(f = -1) Ainit)V V -l,-!,-!,-!; 

\^(t > 0 A s qf Acomputey^^ x,t,qf,0 



The formulae init and compute are defined such that 



1. init{x'i,x'n, t', s') becomes true for the tuple xj, x}, t', s' coding the input con- 
figuration, i.e., x'l = 0, x'^ codes the input, s' = qo, i.e., the machine is in 
the initial state, and, finally, t' = 0. 

2. compute(x[,Xr,t,s;x'i,x'^,t',s') becomes true for a pair of tuples, if the 
x'i,x'n,t' ,s' codes the successor configuration of the configuration coded in 

5 jt^S. 



The conjunct s qf is needed to terminate the evaluation of the formula 
once the machine reaches the final state qf. 

We now turn to the definition of the formula compute. To define this, we first 
need three auxiliary formulae move-righta, move-lefta, and don’t-movea with free 
variables {xpXr, x'i,x'^} which define the transition from the tape content coded 
in (xi,Xr) to the new tape content if the machine writes the symbol a 

and moves to the right, to the left or doesn’t move at all. 

(i) move-right is defined as 



move-righta '.= x'l = 2xi -I- a A x} = div 2. 
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Consider the following situation: 



where the head scans the symbol b, the tape to the left is coded in xi, and 
the tape to the right containing b is coded in Xr- As the head moves to 
the right, the pair must code the new tape content as follows. 



Thus, the position containing the b must be removed from the right side 
coded in Xr and x'^. resp., it must be added to the left side coded in xi 
and x'l resp., and, the symbol b must be replaced by a. This is done by 
setting x'j. to Xr div 2, i.e., removing the position entirely, and setting xj 
to 2xi + a. The same ideas are used in the next two formulae taking care 
of the head moving to the right or not moving at all. 

(a) don’t-move is defined as 

don’t-movcei := x\ = xi A x'^ = (xr div 2) • 2 + a. 
fnij move-left is defined as 

move-lefta ■= x[ = xi div 2 A = ((x^ div 2) • 2 + a) • 2 + (x; mod 2). 

We are now ready to state the definition of the formula compute. 

compute := t' = t 1 A3c{c = Xr mod 2) A 

\/(q,a)^(q',a',m)€sS = qAs' = q'Ac = aAp'=p+mA 
((m = 1 A move-rightai)V 
(m = 0 A don’t-movea')\/ 

(m = — 1 A move-lefta')) . 

We now turn to the definition of the formula init. Again we first need some 
auxiliary formulae. Recall from above that there is a formula enc which defines 
a representation enc{S) C of the input S' C by a finite set of tuples 

of points. We use this to define the initial configuration by letting the Turing- 
tape contain this set of tuples of points. To simplify notation, we assume an 
encoding S' := enc(S) of the input S by a finite set of natural numbers, i.e., the 
tuples of points reduce to 1-tuples of points in and, further, the coordinates 
of this “points” are natural numbers. Observe that such an encoding does not 
correspond to any possible input relation S but the extension to points and 
tuples of higher dimension and to rational coordinates will be straight forward. 
We comment on this below. 

The formula init is defined as 

init(xj, x^, t' , s') := f' = 0 A s' = qo A xj = 0 A start(x).). 



where the formula start is defined as 
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start(a;) :=3p = max(S'')A 

/ fp = X = —1 f\p' = 



[TC, 



V 



min(S")A 
append(l,p', x') 
p £ S' A p' £ S' A p' = succ(p)A 
append(x,p', x') 






](-!,-!, x'.p). 



Here the formulae max, min, and succ are defined with respect to the lexicograph- 
ical ordering of the points in the encoding S' and the formula appendix' ,p,x) 
defines x' to code the tape inscription obtained from the inscription coded in x 
with the bit representation of p being appended at the end. It is defined as 



append := x' = p' + x A 
3c 



p' = 2- p Ax' = X div 2 A X > OA 
(3p £ S' X <p) 



]{x,p,d,c). 



The formula first shifts the bit representation of the point p as many bits 
to the right as the number of bits needed for representation of x and stores the 
result in c. Then it simply adds x to c and gets the desired bit representation in 
x' . The part that might cause confusion is the conjunct (3p £ S' x < p). This is 
unnecessary for the computation of x' but guarantees that the evaluation of the 
formula terminates. This is achieved by binding the values for x by the largest 
point in the encoding S' . As S' is finite, the process of building up the transitive 
closure must be finite as well. 

As mentioned above, the case that the encoding S' is unary does not happen 
for any input relation. Also it is unlikely, that the points in the encoding all have 
natural coordinates. But the formula can easily - although with a huge overhead 
in notation - be extended to rational numbers and encodings of higher arity. 
Termination of the evaluation process is also guaranteed for the general case, as 
all the computations needed to encode the input can be bounded by the values 
of points in the finite set S' . 

Finally, we have to decode the result of the computation. For this we can use 
the PFOL-formula decode mentioned above. Further, we need some preprocessing 
to decode the output of the machine given in one single number x into tuples of 
points. But the inductions involved can all be bounded by the number x coding 
the output of the Turing machine. 

Now, the proof of the following lemma is straight forward. 



Lemma 10 Let f be a query on constraint databases over (R, <,+) and let M 
be a Turing-machine computing it. Let /<^ := op^^ be the function assigned by 
the operational semantics to the formula pm os constructed above. Then, for 
each database 05 := ((M, <, -I-), ct), 

(i) M halts on input 05 if, and only if, fipi^) is defined, and 

(ii) fip{^) defines the same set of elements as represented by the output of M 
on 05. 



Thus we have shown the following theorem. 
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Theorem 11 Under the operational semantics defined above, FO(TC) defines 
exactly the partially computable queries on constraint databases over (M, <,+). 

The proof of the theorem also yields a negative answer to further decidabil- 
ity questions. For instance, one might ask whether it is decidable for a given 
FO(TC)-formula (p and a first-order formula ip if for all databases *8 such that 
mod,p(iB) is defined op,^(lB) C op,^(iB). Using the proof given above, it is an easy 
exercise to reduce the halting problem for Turing machines to this question, thus 
proving it undecidable. 

Corollary 12 Let (f be a FO(TC)- formula and tp £ FO. It is undecidable, 
whether for all databases iB £ CDB(K, <, -I-) such that mod,^(iB) is defined, 

op,/,(*B) C op,^(«B). 



3.3 Completeness of Stratified Datalog and Least Fixed-Point Logic 

Clearly, FO(SFP) is more expressive than FO(TC). Thus, Theorem [TT] gener- 
alises to FO(SFP) and FO(LFP) in the sense that each partially computable 
query can be defined in these logics. However, a bit care has to be taken on 
whether the formulae terminate in the cases where the query is computable. 
Let p •= \TGx,yi^{x,xf)]{u,v) be a FO(TC)-formula. Then p can inductively be 
translated to the equivalent FO(SFP)-formula p* := [FO(SFF)j^^yf}*{x,y) V 
3z RxzA'ip*{z, y)]{u, v). However, under the standard operational semantics, this 
formula might not terminate although, given the operational semantics above, 
the FO(TC)-formula might. To avoid this we recursively translate formulae p 
as above to p* := [FO(SFP)^ - -(S = u A 'if>*(x,y)) V 3z{Rxz A 'if>*(z,y))](u,v). 
This closely resembles the operational semantics we used for FO(TC) and thus 
guarantees termination of the formulae. 



3.4 Existential Fixed-Point Logic 

In the previous sections we have seen that FO(TC), FO(SFP), and FO(LFP) all 
express the same class of partially recursive queries. Regarding existential fixed- 
point logic (FO(EFP)), it can easily be shown that this logic is much weaker 
than the other three. In fact, there are even first-order definable queries that 
are not expressible in existential fixed-point logic. An example is the boolean 
query that is true for all databases which are bounded, i.e. where there is a 
number c such that there is no point in the database with an coordinate greater 
than c. This can easily be expressed in first-order logic. As it is known that 
FO n FO(EFP) is exactly the class of positive existential first-order formulae 
and that these formulae are preserved under extensions of the structure, it is an 
easy observation that this query cannot be expressed in existential fixed-point 
logic. 
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4 Dense Linear Orders 

In this section we consider dense linear order databases, e.g. constraint databases 
over (K, Fixed-point logics on this class of databases have been studied in 

| |BST98IGK99IKre'M| where it is shown that questions about fixed-point queries 
on dense order databases can be reduced to the corresponding questions on finite 
databases. In particular, in |GK99| it has been shown that for all dense linear 
order database *8 there is a finite ordered database inv(iB) with universe B, 
called the invariant of iB such that 

• there is a function tt from finite subsets S C B to FO(LFP)-formulae over 
(M, <, -b) and 

• for each FO(LFP)-formula tp on 05 there is a FO(LFP)-formula cp' on inv(05) 

with the property that if S' = (/9'(inv(05)) is the result of the evaluation of p' 
in the invariant of 05 and P := {a : (R, <,-b) |= ^(S)} is the set of elements 
satisfying the formula 7r(S), then 

S = <p(05), 

where denotes the set of tuples satisfying p in 05. 

Now, by the results mentioned in the introduction, it follows that the formula 
Lp' on the finite ordered database is equivalent to a formula p* in stratified fixed- 
point logic. To obtain a stratified fixed-point formula equivalent to the original 
query p we have to transform p* back to a formula over iB. It follows immediately 
from the results proved in |GK99| that there is a stratified fixed-point formula 
if over *B defining the relation R as defined above. 

Thus we have shown the following theorem. 

Theorem 13 Stratified fixed-point logie and fixed-point logie have the same ex- 
pressive power on the class of finitely representable structures over the real line 
(R,<). 

5 Conclusion 

In this paper we compared various fixed-point logics with respect to the fraction 
of partially computable queries on linear constraint databases they define. For 
this, we first had to equip the logics with an operational semantics, which allowed 
us to speak about computability of queries defined by these logics. We then 
showed that already transitive-closure logic is expressive enough to define all 
partially recursive queries on linear constraint databases. Thus, with respect 
to this benchmark, transitive-closure, least, and stratified fixed-point logic are 
equivalent. As mentioned in the introduction, this is contrary to the relationship 
of the logics in terms of absolute definability, i.e., where there are no restrictions 
on the class of queries under consideration. 

The motivation for choosing the class of partially recursive queries as bench- 
mark comes from the usage of fixed-point logics as query languages, where non- 
recursive queries are of no practical interest. 
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Abstract. While negation has been a very active area of research in 
logic programming, comparatively few papers have been devoted to 
implementation issues. Furthermore, the negation-related capabilities 
of current Prolog systems are limited. We recently presented a novel 
method for incorporating negation in a Prolog compiler which takes 
a number of existing methods (some modified and improved by us) 
and uses them in a combined fashion. The method makes use of 
information provided by a global analysis of the source code. Our 
previous work focused on the systematic description of the techniques 
and the reasoning about correctness and completeness of the method, 
but provided no experimental evidence to evaluate the proposal. In this 
paper,we provide experimental data which indicates that the method 
is not only feasible but also quite promising from the efficiency point 
of view. In addition, the tests have provided new insight as to how to 
improve the proposal further. Abstract interpretation techniques (in 
particular those included in the Ciao Prolog system preprocessor) are 
important for the strategy to success. 

Keywords: Negation in Logic Programming, Constraint Logic Program- 
ming, Program Analysis, Implementations of Logic Programming, Ab- 
stract Interpretation. 



1 Introduction 

The fundamental idea behind Logic Programming (LP) is to use a computable 
subset of logic as a programming language. Probably, negation is the most sig- 
nificant aspect of logic that was not included from the start due to the significant 
additional complexity that it involves. However, negation has an important role 
for example in knowledge representation, where many of its uses cannot be simu- 
lated by positive programs. The different proposals differ not only in expressivity 
but also in semantics. Presumably as a result of this, implementation aspects 
have received comparatively little attention. A search on the The Collection of 
Computer Science Bibliographies m with the keyword “negation” yields nearly 
60 papers, but only 2 include implementation in the keywords, and fewer than 
10 treat implementation issues at all. Perhaps because of this, the negation tech- 
niques supported by current Prolog compilers are rather limited. 



R. Nieuwenhuis and A. Voronkov (Eds.): LPAR 2001, LNAI 2250, pp. 485 44941 2001. 
(c) Springer- Verlag Berlin Heidelberg 2001 



486 S. Munoz, J.J. Moreno, and M. Hermenegildo 



Our objective is to design and implement a practical form of negation and 
incorporate it into a Prolog compiler. In m we studied systematically what 
we understood to be the most interesting existing proposals: negation as fail- 
ure (naf) [3, use of delays to apply naf in a secure way [14], intensional nega- 
tion and constructive negation mM- We could not find a single tech- 

nique that offered both completeness and an efficient implementation. However, 
we proposed to use a combination of these techniques and that information from 
a static analysis of the program could be used to reduce the cost of selecting 
among techniques. We provided a coherent presentation of the techniques, im- 
plementation solutions, and a proof of correctness for the method, but we did 
not provide any experimental evidence to support the proposal. This is the pur- 
pose of this paper. One problem that we face is the lack of a good collection 
of benchmarks using negation to be used in the tests. One of the reasons has 
been discussed before: there are few papers about implementation of negation. 
Another fact is that negation is typically used in small parts of programs and it 
is very difficult to find it because it is not one of their main components. Addi- 
tionally, the lack of sound implementations makes programmer avoid negations, 
even complicating the code or changing its semantics. We have had to collect a 
number of examples using negation from logic programming textbooks, research 
papers, and our own experience teaching Prolog. 

We have tested these examples with all of our techniques in order to establish 
their efficiency. We have also measured the improvement of efficiency thanks to 
the use of the static analyzers. We have used the Ciao system |4] that is an 
efficient Prolog implementation and incorporates all the needed static analyses. 
However, it is important to point out that the techniques used are fairly standard, 
so they can be incorporated into almost any Prolog compiler. 

In both cases the results have been very interesting. The comparison of the 
techniques has allowed us to improve the right order in which to apply them. 
Furthermore, we have learned that the impact of the use of the information from 
the analyzers is quite significant. 

The rest of the paper is organized as follows. Section El presents more de- 
tails on our method to handle negation and how it has been included in the 
Ciao system. Section (31 presents the evaluation of the techniques and how the re- 
sults have helped us reformulate our strategy. The impact of the use of abstract 
interpretation is studied in Id. 81 

2 Implementation of a Negation System 

In this section we present shortly the techniques from the literature which we 
have integrated in a uniform framework. The techniques and the proposed com- 
bination share the following characteristics: 

— We are interested in techniques with a single and simple semantics. The 
simplest alternative is to use the Closed Word Assumption (CWA) |7] by 
program completion and Kunen’s 3-valued semantics HUj. These semantics 
will be the basis for soundness results. 
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— Another important issue is that they must be “constructive”, i.e., program 
execution should produce adequate goal variable values for making a negated 
goal false. Chan’s constructive negation MM fulfills both objectives. How- 
ever, it is difficult to implement and expensive in terms of execution re- 
sources. Our idea is to use the simplest technique for each particular case. 

— The formulations need to be uniform in order to allow the mixture of tech- 
niques and to establish sufficient correctness conditions to use them. 

— We also provide a Prolog implementation of each of the techniques to com- 
bine them as also to obtain a portable implementation of negation. 

2.1 Disequality Constraints 

An instrumental step in order to manage negation in a more advanced way 
is to be able to handle disequalities between terms such as ti ^ t 2 - Prolog 
implementations typically include only the built-in predicate /== /2 which can 
only work with disequalities if both terms are ground and simply succeedss 
in the presence of free variables. A “constructive” behaviour must allow the 
“binding” of a variable with a disequality. On the other hand, the negation of an 
equation X = t{Y) produces the universal quantification of the free variables in 
the equation, unless a more external quantification affects them. The negation 
of such an equation is V P X t{Y). 

We have defined a predicate =/= /2, used to check disequalities, in a similar 
way to explicit unification (=). The main difference is that it incorporates nega- 
tive normal form constraints instead of bindings and the decomposition step can 
produce disjunctions. When a universal quantification is used in a disequality 
(e.g., VP X ^ c(P)) the new constructor fA/1 is used (e.g., X / c(fA(Y))). 

2.2 Negation Techniques 

— Negation as failure and delays 

Typical Prolog systems implementation of naf(Q) is unsound unless the 
free variables of Q are ground. The sound version ensures that the call 
to naf is made only when the variables of the negated goal are ground 
(although it has the risk of floundering). It replaces a call to ^p{X) by: 
. . . , when{ground{X),naf{p{X))), . . . 

— Constructive negation for finite solutions 

We have implemented a Prolog predicate cnegf (Q) to implement finite con- 
structive negation, that can be used if the number of solutions can be deter- 
mined to be finite. It calculates the negation of the disjunction of all solutions 
of Q. It is a simple and efficient version of the constructive negation. 

— Intensional negation cuid universal quantification 

Intensional negation is a novel approach to obtain the program completion 
by transforming the original program into a new one that introduces the 
“only if” part of the predicate definitions (i.e., interpreting implications as 
equivalences). We reformulate the transformation by using a single constraint 
to express the complement of a term, instead of a set of terms. The trans- 
formation is fully formalized in HU. 
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— General constructive negation 

Full constructive negation is needed when all the previous techniques are not 
applicable. While there are several papers treating theoretical aspects of it, 
we have not found papers dealing with its implementation. We decided to 
design an implementation from scratch. Up to now, we have achieved only 
a very simple implementation that certainly needs to be improved. We have 
implemented a predicate cneg/1 for full constructive negation. 



2.3 Strategy 

Our most novel proposal is a method for combining these techniques in order to 
get a correct, complete, and efficient system to handle negation. Our strategy 
tries to use the most efficient negation method for each particular case. Informa- 
tion from global program analysis and some heuristics are used to select among 
techniques and to optimize the computations involved in the processing of nega- 
tion. We assume that correct and acceptably accurate analyses are available for 
the properties of groundness (variables that are bound to a ground term in a cer- 
tain point of the program), goal delay (identification of delay literals which will 
not delay, possibly after reordering), and finiteness of the number of solutions. 

Our first goal is to produce a (pseudo) predicate neg/1 which will compute 
constructively the negation of any Prolog (sub)goal -■G(X), selecting the most 
appropriate technique at run-time. We would also like to generate a specialized 
version of neg for each negated literal in the program (each call to neg), us- 
ing only the simplest technique required. This is a previous process to call the 
predicate neg/1. It is at compile-time in the following steps:: 

1. Groundness of X is checked before the call to G. On success, simple negation 
as failure is applied, i.e., it is compiled to naf (G(X))0 

2. Otherwise, it is generated a new program replacing the goal ^G{X) by 
when(ground(Jf) , naf(G(X))) and the “elimination of delays” technique 
is applied to it. If the analysis and the program transformation are able to 
remove the delay (perhaps moving the goal) the resulting program is used0 

3. Otherwise, if the finiteness analysis over G{X) successes, then finite construc- 
tive negation can be used, transforming the negated goal into cnegf (G(X)). 

4. Otherwise, the intensional negation approach is tried by generating the cor- 
responding negated predicates and replacing the goal by call_not (G(X) , 
S) that will call not__G(X). During this process, new negated goals can ap- 
pear and the same compiler strategy is applied to each of them. If S is bound 
to success or fail then negation is solved, otherwise we continue. 

5. If everything fails, full constructive negation must be used and the executed 
goal is cneg(G(X)). 

^ Since floundering is undecidable, the analysis only provides an approximation of the 
cases where negation as failure can be applied safely. This means that maybe we are 
avoiding to use the technique even in cases that it could work properly. 

^ Again, the approximation of the analysis could forbid us to apply the method in 
some cases in which it might still provide a sound result. 
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The strategy is complete and sound with respect to Kunen 3-valued seman- 
tics. This follows from the soundness of the negation techniques, the correctness 
of the analysis, and the completeness of constructive negation. 

Let us illustrate the behavior of the method by using some simple examples. 
Consider the following program: 

less(0, s(Y)). member (X, [X|L]). 

less(s(X), s(Y)) less(X, Y) . member (X, [Y|L]) member (X, L) . 



pl(X) memberCX, [0, s(0)]), p3(X) neg(less(X, s(s(0)))). 

neg(less(X, s(0))). p4(X) negCless (s (0) , X)). 

p2(X) neg(less(X, s(0))), p5(X) neg(less(X, s(X))). 

member (X, [0, s(0)]). 

Each of the pi predicates requires a different variant. For pi, the ground- 
ness test for variable X succeeds and naf/1 can be used, so it behaves as: 
pl(X) member (X, [0, s(0)]), ?- pl(X). 

naf(less(X, s(0))). X = s(0) 

Applying the “elimination of delays” analysis to program: 
p2(X) when(ground(X) , naf(less(X, s(0)))), 
member (X, [0, s(0)]). 

the delay can be eliminated, reordering the goals as follows: 

p2(X) memberCX, [0, s(0)]), ?- p2(X) . 

naf(less(X, s(0))). X = s(0) 

The case for p3 is solved because the finiteness test can be proved to succeed, 
so the program is rewritten as: 

p3(X) cnegf (lessCX, s(s(0)))). ?- p3(X) . 

X / 0 , X / s(0) 

p4 needs intensional negation, so the generated program is: 
not__less(W, Z) W =/= 0, ?- p4(X) . 

fA(X, W =/= s(X)) , X = 0 ?; 

fA(Y, Z =/= s(Y)) . X = s(0) 

not less(sCX), s(Y)) 

not lessCX, Y) . 

p4(X) 

not less(sCO), X). 

Finally, p5 needs full constructive negation because the intensional approach is 
not able to give a result: 

p5(X) cnegClessCX, s(X))). ?- p5(X). 

no 



3 Evaluating the Strategy 

3.1 Example Programs 

As mentioned earlier, one problem that we have faced is the lack of a good 
collection of benchmarks using negation to be used in the tests. We have how- 
ever collected a number of examples using negation from logic programming 
textbooks, research papers, and our own experience teaching Prolog: 
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— disjoint: Code to verify that two lists have no common elements. Negation 
is used to check that elements of the first list are not in the second one. 

— jugs: There are two jugs, one holding 3 and the other 5 gallons of water, 
they are both full at the beginning. Jugs can be filled, emptied, and dumped 
one into the other either until the poured-into jug is full or until the poured- 
out-of jug is empty. Devise a sequence of actions that will produce 4 gallons 
of water in the larger jug. Negation is used to check that the status of the 
jugs is not repeated during the process. 

— robot: Simulation of the behavior of a robot. Negation is used to check that 
possible new positions for the robot are not dangerous. 

— trie: It finds the list of word-FileList couples that shows the sublist of files 
where each word appears (from an initial list of words and files). Negation 
is used when reading words to find the first non alphanumeric character. 

— numbers9: It uses negation to detect impossible cases in balanced trees. 

— closure: Transitive closure of a network. Negation is used to avoid infinite 
loops (detecting repeated nodes). From [T^ page 169. 

— uuiou: It is used neg (member (X, Li)) to check if an element X appears 
in both lists (for union of two lists without repetitions). From [15] page 154. 

— include: include{P, Xs,Ys) is true when Ys is the list of the elements of 
Xs such that P{X) is true. Negation is used to detect elements that do not 
satisfy the property P{X). From [TS| page 227. 

— flatten: Flattening a list using difference-lists. Negation is used to consider 
lists that are not empty. From m Program 915.2, page 241. 

— lessNodd: Returns the list of odd natural numbers that are less than a 
number N. Negation is used to control that a number is not even. 

— friend: Deduces the relationship between two people using the stored infor- 
mation from a database. Negation is used to exclude ancestors and descen- 
dats from the category of friends of a person. 



3.2 Experimental Results 

We have first measured the execution times in milliseconds for the previous ex- 
amples when using all the different (applicable) negation techniques that we 
have discussed, and also noted which technique is selected by our strategy (in 
boldface). A in a cell means that the technique is not applicable. All mea- 
surements were made using Ciao Prolog 1.5 on a Pentium II at 350 Mhz. Small 
programs were executed a sufficient number of times to obtain repeatable data. 
The results are shown in Tabled] where each column means: 

— const, shows the time taken by general constructive negation ( cneg). 

— naf/ delay uses either naf directly or within a delay directive. A ‘D’ is placed 
before the time in the second case. 

— fin. const, is the time of the finite version of constructive negation, cnegf . 

® The negation system is coded as a library module (“package”), which includes the 
corresponding syntactic and semantic extensions (i.e. Ciao’s attributed variables). 
Such extensions apply locally within each module which uses this negation library. 



Efficient Negation Using Abstract Interpretation 491 



Table 1. Comparing different negation techniques 



programs 


const. 


naf/delay 


ratio 


fin. const. 


ratio 


intens. 


ratio 


disjoint 1 


7440 


780 


9.5 


2740 


2.7 


- 


- 


disjoint 2 


3330 


- 


- 


1120 


2.9 


- 


- 


jugs 


8140 


859 


9.4 


2175 


3.7 


<1 


X 


robot 


4600 


1310 


3.5 


1900 


2.4 


- 


- 


trie 


8950 


1850 


4.8 


2140 


4.1 


- 


- 


numbersQ 


286779 


- 


- 


- 


- 


25230 


11.3 


closure la 


5100 


730 


6.9 


1450 


3.5 


140 


36.4 


closure2a 


3520 


560 


6.2 


900 


3.9 


100 


35.2 


closureSa 


10550 


1700 


6.2 


2700 


3.9 


280 


37.6 


closure lb 


26350 


D2240 


11.7 


16460 


1.6 


8570 


3.0 


closure2b 


17400 


D1500 


11.6 


10580 


1.6 


5420 


3.2 


closureSb 


16700 


D4510 


3.7 


10120 


1.6 


16070 


1.0 


unionl 


1150 


300 


3.8 


320 


3.5 


189 


6.0 


union2 


20930 


- 


- 


9470 


2.2 


2940 


7.1 


include 1 


9020 


1270 


7.1 


2680 


3.3 


170 


53.0 


include2 


9910 


- 


- 


2995 


3.3 


- 


- 


flatten 


32379 


8500 


3.8 


12570 


2.5 


10 


X 


lessNoddl 


58980 


4850 


12.1 


17550 


3.3 


1270 


46.4 


lessNodd2 


7750 


1490 


5.2 


2700 


2.8 


- 


- 


lessNoddS 


>3600000 


- 


- 


- 


- 


1540 


X 


friend la 


16150 


2280 


7.0 


- 


- 


39500 


0.4 


friend2a 


17630 


<1 


X 


- 


- 


10 


X 


friendSa 


447200 


D4430 


100.9 


- 


- 


43200 


10.3 


friendda 


>3600000 


D8750 


X 


- 


- 


>3600000 


X 


friend lb 


17350 


3020 


5.74 


- 


- 


9 


X 


friend2b 


17650 


<1 


X 


- 


- 


10 


X 


friendSb 


92500 


D3060 


30.2 


- 


- 


43200 


2.1 


frienddb 


>3600000 


D6050 


X 


- 


- 


171290 


X 


average 






13.0 




2.9 




18.3 



— intens. uses the not__‘p’ predicate from the intensional negation program 
transformation . 

— ratio columns measure the speedup of the technique to their left w.r.t. con- 
structive negation. An ‘x’ means the ratio is extremely high. 

It is clear that the technique chosen by our strategy is always equal to or 
better than general constructive negation. In many cases, it is also the best 
possible of the examined technique. We now study each technique separately: 

— Using naf instead of const, results in speed-ups that range from 3.5 to 30.2. 
The average is more than 8. 

— The delay technique, when applicable, has a considerable impact, speeding 
programs even 100 times. 

— The fin.const.is around 3 times faster than const.. 
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— The intens. has a more random behavior. Very significant speed-ups are 
interleaved with more modest results and even some slow-down {friend la). 

The most surprising result is the efficiency of intensional negation. The trans- 
formational approach seems the most adequate in those cases provided that we 
restrict the use of the technique to the case where there are no universal quan- 
tifications in the resulting program. On the other hand, it is possible that the 
intensional program may not be able to produce a result (wasting time) and its 
use is a dynamic decision. Although these problems do not arise often in practice, 
they are a serious risk. So we decide to modify the strategy to use intensional 
negation as the preferable technique, but only when it can be used safely. 

As conclusion, our strategy produces notable benefits. It preserves the com- 
pleteness of general constructive negation but typically at a fraction of the cost. 



3.3 Measuring the Impact of Abstract Interpretation 

As mentioned above, the selection strategy and the program optimizations per- 
formed make use of information from global program analysis. We have obtained 
the information and performed the transformations using the analyzers and spe- 
cializers that are part of the Ciao system’s preprocessor, CiaoPP jO]. 

In particular, from the analysis point of view, the groundness analysis has 
been performed using the domain and algorithms described in |13| . In order to 
eliminate delays a technique is used which, given a program with delays, tries to 
identify those that are not needed, perhaps after some safe reordering of literals, 
as described in iHns]. Finally, the upper bounds complexity and execution cost 
analysis El has been used to determine finiteness in the number of solutions. 

The transformations have been implemented using the specializer in CiaoPP. 
The source programs always make calls to a version of the generic predicate simi- 
lar to the neg predicate presented in section |2] The specializer creates specialized 
versions of the generic predicate for each literal calling neg in which tests and 
clauses are eliminated as determined by the information available from the an- 
alyzers. For example, if the groundness test is proven true at compile-time, the 
specializer will eliminate the test and the rest of the clauses of neg and eventu- 
ally even replace the literal calling neg with a direct call to naf. This is done 
automatically by CiaoPP without having to write any additional code. 

In order to estimate the advantages obtained by using this approach we 
now present some experimental results comparing the execution time of the 
programs that might be generated without the help of the analyzers and the 
versions produced automatically by the Ciao preprocessor. In the first case, the 
calls to neg always call (a slightly modified version of) the full version of the neg 
predicate. Thus, for example, the groundness test is performed at execution time. 
The clause to check the finiteness of the goal and then call cnegf is removed since 
such checking cannot be made safely at run-time. Moreover, the delay technique 

■* Note that an upper bound cost that is not infinity implies a finite number of solutions 
(an alternative is [3] 
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Table 2. Impact of program analysis 



program 


with pp. 


without pp. 


ratio 


naf 


ratio 


secure naf 


ratio 


prep. 


disjoint 1 


1020 


1700 


1.66 


780 


0.76 


1469 


1.44 


78 


Jugs 


969 


8419 


8.68 


859 


0.88 


1690 


1.74 


227 


robot 


1960 


3100 


1.58 


1310 


0.66 


1800 


0.91 


700 


trie 


1890 


2450 


1.29 


1850 


0.97 


1900 


1.00 


508 


union 1 


300 


350 


1.16 


230 


0.76 


300 


1.00 


119 


closure la 


730 


2600 


3.56 


730 


1.00 


900 


1.23 


257 


closure2a 


570 


1970 


3.45 


560 


0.98 


670 


1.17 


257 


closureSa 


1710 


5050 


2.95 


1700 


0.99 


2010 


1.17 


257 


include 1 


1099 


1180 


1.07 


1080 


0.98 


1270 


1.15 


178 


flatten 


8859 


9300 


1.04 


8500 


0.95 


8080 


0.91 


168 


lessNoddl 


7310 


8670 


1.18 


4850 


0.66 


6300 


0.86 


58 


lessNodd2 


1780 


1830 


1.02 


1490 


0.83 


1590 


0.89 


58 


friendlb 


3220 


3360 


1.04 


3020 


0.93 


3180 


0.98 


198 


friend la 


2820 


2860 


1.01 


2280 


0.80 


2840 


1.00 


198 


average 






2.33 




0.86 




1.10 




closurelb 


610 


8610 


14.11 


- 


- 


- 


- 


257 


closure2b 


570 


5700 


10.00 


- 


- 


- 


- 


257 


closureSb 


1800 


16300 


9.05 


- 


- 


- 


- 


257 


friendSa 


3100 


43350 


13.98 


- 


- 


- 


- 


198 


friendda 


6210 


>3600000 


X 


- 


- 


- 


- 


198 


friendSb 


3100 


43400 


14.00 


- 


- 


- 


- 


198 


frienddb 


6210 


171495 


27.61 


- 


- 


- 


- 


198 


average 






14.79 












disJoint2 


1125 


3700 


3.28 


- 


- 


- 


- 


78 


union2 


9590 


21010 


2.19 


- 


- 


- 


- 


119 


include2 


3070 


10010 


3.26 


- 


- 


- 


- 


178 


average 






5.65 












average 






2.37 




0.86 




1.10 





is not used because, in general, it has the risk of floundering. In contrast, the 
version obtained with the help of the analyzers can remove the groundness check, 
use the reordering proposed by the elimination of delays, and use the information 
of the flniteness analysis to call cnegf . 

Table |2]presents the results. We have also added for reference columns show- 
ing the execution time of using naf directly and a secure version of naf, i.e., 
checking groundness before. Finally, we have also added the time taken by 
CiaoPP to perform the analysis and transformation. 

The table reveals that the impact of abstract interpretation is significant 
enough to justify its use. For those examples where naf is applicable, the analyzer 
is able to detect groundness statically in all the cases, so the call to neg is 
replaced by naf. It is worth mentioning that the implementation of the dynamic 
groundness test in Ciao is quite efficient (it is performed at a very low level. 
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inherited from its &-Prolog origins). Even so, the speedup can reach a factor 
of over 8, and the average is 2.33. The impact of the elimination of delay is 
even better in general. Notice that if the delay technique is not used, intensional 
negation could be used instead, which in many cases is a very efficient approach. 
Even with this drawback, the use of abstract interpretation is helpful. When the 
finiteness analysis avoids the use of full constructive negation the speed-ups are 
greater than 3. The difference between the programs after preprocessing and the 
direct use of naf is irrelevant. The code produced by the preprocessor is better 
than the secure use of naf because of the elimination of groundness tests. 
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Abstract. We express reactive programs in COQ using data-flow syn- 
chronous operators. Following Lucid-Synchrone approach, synchro- 
nous static constraints are here expressed using dependent types. Hence, 
our analysis of synchrony is here directly performed by COQ typechecker. 



1 Introduction 



Synchronous languages [Hal93j have been designed to help in the conception of 
reactive systems, especially critical reactive systems (planes, power plants con- 
trol...). Synchrony is a program property which ensures bounded reaction-time 
and memory at execution. Synchronous languages statically check this property, 
however, in a critical context, it may be needed to have a formal proof of this 
property, or more generally to prove program properties. 

In this work we are internested in Lucid-Synchrone |CP00a| (LS for short), 
a data-flow synchronous language. We present here a natural and shallow em- 
bedding of LS into the COQ proof assistant. This embedding concerns both the 
dynamic and the static semantics of the language, such that synchrony analysis 
is obtained for free. Moreover, it gives us a denotational semantics of LS in COQ 
and is thus a good starting point for designing a prover for LS programs in COQ, 
following [Fil99IPar95j approach. This semantics can also be used to experiment 
with the language: we have used it to propose a notion of recursive functions for 
LS, as a generalization of recursive streams (see |BH01] 1. 

We are now going to quickly introduce LS and COQ. These introductions 
are just aiming at making this paper self-explanatory, for more details on these 
tools, you should consult their tutorials and reference manuals I IPCCHOI 
pBBC+no| L 



1.1 Lucid-Synchrone 

Lucid-Synchrone is a language born to bring synchronous data-flow languages 
like Lustre [LLGHPAI] closer to general functional languages, in particular ML. 
This was needed for several reasons. First, synchronous languages were in need of 
more mechanisms of abstraction. Second, to better understand the link between 
these two families of languages, and third, to use this link in a certification 

^ The LS compiler is available at: http://www-spi.lip6.fr/lucid-synchrone/ 

R. Nieuwenhuis and A. Voronkov (Eds.): LPAR 2001, LNAI 2250, pp. 495- 15061 2001. 

(c) Springer- Verlag Berlin Heidelberg 2001 
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or proof context. LS has proved to bring good answers to the first need, it has 
inspired the next generation of the industrial tool Scade [TelOlJ |CP00b| . We are 
here interested in the third need, and in formally certifying or proving programs. 

LS is an ML like language over streams (or data-flow): all values are infinite 
sequences. These streams can be on each instant either absent or present. They 
are equipped with a clock, a boolean information indicating on each instant 
whether the stream is present or absent. The clock which is always true is 
called the basic clock of the system. To ensure synchrony, clocks have to verify 
some constraints, this is done by a static analysis, the clock calculus |( )as9‘2] . 
Previous works on LS [( ;P98| have shown that it could be defined as a ML type 
system extended with dependent types. This has allowed the LS compiler to 
provide clocks polymorphism and inference. 

The compiler also performs other static analysis. Especially, it checks causal- 
ity in recursive definitions. Instantaneous recursion is forbidden: the current 
value of a stream should not depend on itself. This property is also represented 
in our encoding. 



1.2 COQ 

COQ is a proof assistant based on the Calculus of Constructions ICH88I . enriched 
with inductive IPM93I and co-inductive IGim94l type definitions. Calculus of 
Constructions is a typed lambda-calculus, with types as first-class values (i.e. 
types are terms). Hence, terms may be: 

• identifiers, defined constants or declared variables in the context. 

• the applieation of a functional term M to a term N, denoted by “(M N)”. 

• the abstraction of a variable x of type A in a term b, denoted by “[x:A]b”. 

• the product of a type family B indexed by a variable x of type A (i.e. the 
type of functions “[x:A]b” where b is of type B, assuming x of type A). It is 
generally denoted by “(x:A)B” or simply “A->B” if x does not occur in B. 

In the spirit of Curry-Howard isomorphism, types may represent programming 
datatypes or logical propositions. This is expressed in COQ using two special 
types of types. Set as type of datatypes, and Prop as type of propositions. Hence, 
“(x:A)B” may also be interpreted as “for all x in A, B” and as the logical 
implication. 

Via coinductive type definitions |Gim98| . COQ provides infinite values and 
co-recursior0. We have used them to define synchronous streams in COQ. 

COQ provides syntactic features, such as implicit terms (denoted by a “?”) 
or defined constants with implicit arguments, that force the system to try some 
type inference a la ML0 We have heavily used these features to provide some 
clock inference. 

^ Let us note however that COQ is strongly normalizing: hence, all computations ter- 
minate, even on infinite values. 

® with the following exceptions: there is no mechanism for polymorphic generalization 
and inference may fail due to undecidability of high-order unification. 
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1.3 Related Works 

Valid LS programs check some non-trivial static properties. Some of these prop- 
erties are guaranteed by static analyses performed by the compiler. Others are 
guaranteed by construction, i.e. by the semantics of the language. A first dif- 
ficulty was to understand how to integrate these properties in our description. 
If we are only interested in proving properties about LS programs, then a sim- 
ple approach consist in stating these properties as axioms or hypothesis in the 
description, relying on a compiler to check them. This approach is for instance 
suggested by [BCDPV^^ . Here, we are more ambitious. We want to prove the ex- 
istence of LS programs, and their static fundamental properties, independently 
of any external system. This is also the approach of |DCC00J . In this approach, a 
compiler could still be used to provide some COQ proofs from its static analysis, 
thus easing the work on COQ. 

Synchronous languages have been introduced for software and hardware reli- 
ability. Thus, formalizing synchronous systems is an active research area. A lot of 
case studies have been done, using many formalisms |KNT00IBCDPV99ICGJ9^ . 
There are also some axiomatizations of synchronous languages |BCDPV99j 
INBT98j . our work lies in this latter category. Our main originality here, is to em- 
bed the clock calculus of LS as a special instance of COQ type system. LS is well- 
suited for this study, as its clock calculus is expressed as a dependent type system 
whereas other synchronous data-flow languages (Lustre, Signal |BLJ91p use 
specific analysis. 

2 Sampled Streams and Their Equality in COQ 

We first define the type of “sampled elements of A ”, to represent instantaneous 
values of type A in synchronous streams. On a given instant, a sampled element 
can be either present or absent. We also introduce an error element, which will 
be raised in case of instantaneous recursion (non-causal program). 

Then, we define clocks as streams of booleans. The type of “sampled streams” 
can then be defined as a coinductive type parametrized by a type A and a clock 
c. Its single constructor sp_cons takes as arguments a sampled element and a 
sampled stream. 

Inductive samplElt [A:Set] : bool -> Set:= 

I None: (samplElt A false) 

I Any: A -> (samplElt A true) 

I Fail: (samplElt A true). 

Definition clock := (Stream bool). 

Coinductive samplStr [A: Set] : clock -> Set:= 
sp_cons: (c: clock) 

(samplElt A (hd c))-> (samplStr A (tl c) )-> (samplStr A c) . 

We define two destructors spJid and sp_tl for accessing respectively the head 
and the tail of sampled streams. We have of course the following property: 
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Lemma unf old_samplStr : 

(c:clock; s:(samplStr A c))s=(sp_cons (sp_hd s) (sp_tl s)). 

The equality we consider over sampled streams, denoted by sp_eq, is bisimu- 
lation or extensional equality. It is defined for streams that may not have inter- 
convertible clocks, but only bisimulable clocks. We have also defined a notion of 
“clock coercion” compatible with bisimulation (see |BH01J 1. 

We are actually only interested in programs producing wellformed sampled 
streams, i.e. sampled streams without Fail element. Hence, we have defined a log- 
ical predicate sp_wf indicating wellformedness of sampled streams (see |BH01j ~). 

3 Lucid-Synchrone Data-Flow Operators in COQ 

We now detail the encoding of LS data-fiow operators. The language provides 
three kinds of operators, point-wise operators are classical operators like -I-, — , 
... lifted to streams, sampling operators are streams operators allowing under or 
over-sampling and delay operators allow delaying a stream. 

3.1 Point-Wise Operators 

First, every object of the base language is lifted into a constant sampled stream. 
As in LS, these constants have polymorphic clocks. Operator elt_const returns a 
sampled element: either Any of its argument or None depending on the clock. The 
sp_const operator only iterates it on every instant. To make the following COQ 
code more readable, we have replaced by “• • •” some type information needed by 
typechecking. By convention, A and B are variables of type Set. 

Variable a: A. 

Definition elt_const : (b:bool) (samplElt A b) 

:= [b]<--->if b then (Any a) else (None A). 

CoFixpoint sp_const : (c : clock) (samplStr A c) 

:= [c] (sp_cons (elt_const (hd c)) (sp_const (tl c))). 

Lifted functions will then be applied point-wisely on streams. sp_extend takes 
a stream of functions and a stream of arguments, and returns the stream of their 
point-wise application. Functions and arguments are required to be on the same 
clock, thus, no memory is required by this function. As before, elt_extend is 
the instantaneous application on sampled elements, and sp_extend iterates it on 
every instant. 

An interesting application of sp_extend is the definition of sp_if, the point- 
wise if-then-else (or multiplexer in circuits): 

Definition If:= [b:bool; x,y:A]if b then x else y. 

Definition sp_if:= 

[c: clock; Ic : (samplStr bool c) ; x,y: (samplStr A c)] 

(sp_extend (sp_extend (sp_extend (sp_const If ?) Ic) x) y) . 
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Definition elt_extend: 

(b :bool) (samplElt A->B b) -> (samplElt A b)->(samplElt B b) 
:= [b; f]<-'->Cases f of 

I None => [_] (None B) 

I (Any vf) => 

[x] Cases x of 

I (Any vx) => (Any (vf vx)) 

I Fail => (Fail ?) 

I ••• 

end 

I Fail => [_] (Fail ?) 
end. 

CoFixpoint sp_extend: 

(c : clock) (samplStr A->B c)->(sainplStr A c) -> (samplStr B c) 
:= [c;f ;x] (sp_cons (elt_extend (sp_hd f) (sp_hd x)) 
(sp_extend (sp_tl f) (sp_tl x))). 



Fig. 1. Definition of extend operator 



3.2 Sampling Operators 



Sampling operators are used either to filter a stream (when) or to combine several 
complementary streams (merge). The when operator filters a streams on a boolean 
condition: the result is the sub-stream of the entry only present when the boolean 
condition is true. Thus the clock of the result differs from the one of the entry: 
it is on a subclock of it, defined by the condition. 

We first need an operator to dynamically build such a subclock. The clock 
constructor sp_on coerces a sampled boolean stream into a clock. Hence, this is 
the type operator introducing dependent types in the LS clock system. 

As usual, elt_on defines the instantaneous behavior of the constructor, and 
sp_on only iterates it on every instant. With Fail as argument, elt_on returns 
true: the error will be diffused by the sampling operations (see elt_when below). 



Definition elt_on: (b :bool) (samplElt bool b)->bool 
:= [b;o] Cases o of 

I None => false 
I (Any x) => X 
I Fail => true 
end. 

CoFixpoint sp_on: (c : clock) (samplStr bool c) -> clock 
:= [c;lc](Cons (elt_on (sp_hd Ic)) (sp_on (sp_tl Ic))). 



Now we can define sp_when, the sampling operator. It simply copies its input, 
forgetting elements when clock of the output is false. 
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Definition elt_when: 

(b :bool ; o : (samplElt bool b) ) (samplElt A b) -> (samplElt A (elt_on o)) 

:= [b; o] <• ■ >Cases o of 

I None => [x] (None ?) 

I (Any bO) => 

[x : (samplElt A true)] <• • ->if bO then x else (None ?) 

I Fail => [x] (Fail ?) 
end. 

CoFixpoint sp_when: 

(c: clock; lc:(samplStr bool c))(samplStr A c) -> (samplStr A (sp_on Ic)) 
:= [c ; Ic ; x] (sp_cons (elt_when (sp_hd Ic) (sp_hd x)) 
(sp_when (sp_tl Ic) (sp_tl x) ) ) . 



The spjnerge operator is defined in the same way. It is a kind of if-then-else, 
whose branches have exclusive clock^. It allows a kind of over-sampling, since 
output is on faster clock than branches of the spjnerge. Its type is: 



CoFixpoint sp_merge : 

(A:Set; c:clock; Ic: (samplStr bool c)) 

(samplStr A (sp_on Ic)) 

->(sajnplStr A (sp_on (sp_not Ic) ))-> (samplStr A c) . 



We have the following relation between sp_if, spjnerge and sp_when (where sp_eq 
is bisimulation over sampled streams): 



Lemma if_equiv: 

(A:Set; ciclock; Ic: (samplStr bool c) ; x,y: (samplStr A c)) 
(sp_wf x)-> (sp_wf y) -> 

(sp_eq (sp_if Ic x y) 

(sp_merge (sp_when Ic x) (sp_when (sp_not Ic) y))). 



3.3 Delay Operators 

Delay operators allow referring to past values, thus providing implicit memory 
manipulations. We consider here the “followed by” operator (fby) which is an 
initialized delay (LS also provides uninitialized delay, and initializer, their full 
description in COQ can be found in [DHOl] ). 

If x and y are two streams sampled on the same clock, then x fby y is a 
stream sampled on this clock, whose present elements are, at first, the first 
present element of x, and then forever the previous present element of y. Hence, 
X fby y is a delay of y, initialized with the first element of x. 

The fact that x and y have the same clock is fundamental here: it guarantees 
that only one element of y will have to be memorized before x yields its first 
value, i.e fby is a one place buffer. Hence, clocks provide here a simple way to 
express static synchronization constraints. 

In the type of spjnerge, sp_not is the point-wise negation defined using sp_extend. 
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Examples in COQ syntax. Before defining formally fby in COQ, we study 
some examples to illustrate the expressive power of delays within the rest of the 
language. It is also the opportunity to show inference mechanisms in COQ, very 
close to the inference mechanisms of LS. We use here some grammar extensions 
of COQ, to provide a more friendly syntax: 

• lifted constants are given between back-quote as ‘ (0) ‘ , their clocks are 
inferred. 

• sp_extend is abbreviated into ext. 

• when is the infix notation corresponding to the operator sp_when, with per- 
muted arguments. (Hence the condition is given on the right). 

• merge is an abbreviation for sp_merge, forcing the condition to be explicit 
(the condition is implicit in sp_merge, which makes the type inference fail 
on most practical examples). 

• recO is the fixpoint operator for streams. It takes a function as argument, 
which introduces the bounded name for referring to recursive occurrences of 
the stream being built. recO may be prefixed by “<c>” where c is the clock of 
the result. This syntactic feature is useful for binding clock variables which 
need to be generalized by hand. This operator will be studied in details in 
section 2] 

The sequence of natural numbers can now be written as Nat below. COQ 
infers the type (c : clock) (samplStr nat c) for this definition. This stream is 
polymorphic on clock. This must be explicitly expressed to COQ. Here, COQ 
infers clocks for the constants ‘ (0) ‘ and ‘S‘ (natural successor function) , using 
fby and ext clock constraints. 



[Definition Nat := [c] (<c>rec0 [H](‘(0)^ fby (ext ‘S' N))). 
We can also define the Fibonacci sequence: @ 



Definition Fib := 

[c] (<c>rec0 [fib] (‘(1)‘ fby (ext (ext 'plus' fib) ('(0)‘ fby fib)))). 



A delicate feature of delays is the fact that they do not permute with sampling 
operators. For instance, Nat_on and Nat _mod, both of the same type, differs only 
in their definition by the position of when with respect to fby. Their semantics 
are very different. The former enumerates naturals on (sp_on Ic), and returns 
zero on (sp_on (sp_not Ic)). The latter indicates at each instant the number of 
passed instants since Ic was false. Indeed, in the former case, when is applied 
before fby: thus, the clock of fby is (sp_on Ic). On the contrary, in the latter 
case, fby is on c. 



Definition Nat_on := 

[c; Ic] (<c>rec0 [N] (merge Ic (‘(0)' fby ((ext ‘S‘ N) when Ic)) ‘(0)0). 
Definition Nat_mod := 

[c; Ic] (<c>rec0 [N] (merge Ic ((‘(0)‘ fby (ext ‘S‘ H)) when Ic) ‘(0)‘)). 



® In LS, this definition is compiled using only a memory size of two integers. 
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Formal descriptions of fby. Below, we first define an internal operator (ie not 
a LS operator) for delay. It takes a sampled stream and a sampled element on 
true (ie Fail or a value) and uses it in order to initialize the delay. It is defined 
by cofixpoint, and actually this last parameter is used for memorizing the last 
element of the stream. Then, we define sp_fby x y: we wait for the first present 
element of x and use it to delay y. 



CoFixpoint sp_delay: 

(c : clock) (samplStr A c)->(samplElt A true) -> (samplStr A c) 

:= [c] <■ ■ •>Cases c of (Cons he tc) => 

<• • >if he 
then 

[x; a] (sp_cons a (sp_delay (sp_tl x) (sp_hd x))) 
else 

[x; a] (sp_cons (None A) (sp_delay (sp_tl x) a)) 

end. 

CoFixpoint sp_fby: 

(c : clock) (samplStr A c)->(samplStr A c)->(samplStr A c) 

:= [c] <• • •>Cases c of (Cons he tc) => 

<• • ->if he 
then 

[x;y] (sp_delay y (sp_hd x) ) 
else 

[x;y] (sp_cons (None A) (sp_fby (sp_tl x) (sp_tl y))) 
end. 



4 Recursive Constructions 

Recursive constructions in LS can not be directly (or syntactically) translated 
into cofixpoints of COQ: guarded conditions of COQ are too restrictive for this 
purpose. However, we can build in COQ a generic recursion operator (using 
cofixpoint of Coq) which emulates recursive constructions of LS. This kind 
of trick is already used in the standard library of COQ for emulating generic 
wellfounded recursion with primitive recursion. However, here the computational 
behavior of our recursive constructions is very far from the one when compiled 
in LS. 

LS provides two notions of recursive constructions: recursive streams and 
recursive functions of streams. The first are always reactive, but not the sec- 
ond (see jBHOU). Thus, we are especially interested in the first construction. 
However, we define here a unique operator of recursion, from which both con- 
structions can be derived. As some preconditions of this recursion operator can 
be simplified in the particular case of recursive streams, we only present this 
case. We do not present here the formal encoding of this operator (see jBHOlj L 
it is built classically as a smallest fixpoint: by successive approximations using 
Fail. Indeed, for the considered functions, there is at most one fixpoint (see 
rec0_uniq below): the smallest is also the biggest. 
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4.1 Basic Recursion on Streams 

Recursive streams are built by iterating infinitely a function on itself, using the 
recO operator used in previous examples. This operator is of type: 

(A:Set; c : clock) ( (samplStr A c)->(samplStr A c)) -> (samplStr A c) 
However, applying recO only makes sense for functions satisfying some precon- 
ditions: length-fail-preservation (F0_lfp) on the basic clock, and wellformedness- 
increase (F0_nf stwf _inc). 



Variable c: clock. 

Variable FO: (samplStr A c) -> (samplStr A c) . 

Hypothesis F0_lfp: 

(si , s2 : (samplStr A c) ; n:nat) 

(sp_inf n si s2)->(sp_inf n (FO si) (FO s2)). 

Hypothesis F0_nf stwf _inc : 

(n:nat; s: (samplStr A c) ) (glob_nf stwf n s)->(glob_nfstwf (S n) (FO s)). 



We now detail the meaning of these preconditions. 

Length-fail-preserving functions (on the basic clock). Length-fail-preservation on 
the basic clock is an invariant property satisfied by every LS programs. It deals 
both with synchrony (length-preservation) and with the “error semantics” of 
Fail (fail-preservation). 

Length-preservation on the basic clock means that for every LS function, at 
every instant, the function takes one sampled element (possibly None) and returns 
one sampled element (possibly None). Fail-preservation means that functions are 
monotonous with respect to the flat order with Fail as minimum element. 

Hence, we have defined (sp_inf n) as an order over sampled streams such 
that (sp_inf n si s2) means that the n first elements of si are inferior for the 
flat order to their respective element in s2 (see [BHOlj b Now we informally 
say that a function is length-fail-preserving if for every n, it preserves the order 
(sp_inf n). Length-fail-preservation has been proved for all LS operators. 

Wellformedness-increase. Wellformedness-increase is related to causality: 
length-fail-preserving and causal functions are indeed wellformedness-increasing. 
First, we have defined a notion of “partial-wellformedness”: (glob_nfstwf n s) 
indicates whether the stream s has no fail element until the n-th instant of the 
basic clock (see |BH01| L And we say that a function F of type (samplStr A 
c) -> (samplStr A c) is wellformedness-increasing, if its input is partially well- 
formed until the n-th instant implies that its output is partially wellformed until 
the n -|- 1-th instant. Thus, by iterating infinitely on F, we build a wellformed 
stream. 

Then, we can prove that sp_fby is wellformedness-increasing on its second 
argument, and for others operators, we can prove partial-wellformedness preser- 
vation. 
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Correctness o/recO. Under the preconditions given above, (recO FO) is of type 
(samplStr A c), and satisfies the three following properties (proven in Coq), 
stating that (recO FO) is wellformed, and is the unique fixpoint of FO. 



Lemma rec0_wf : (sp_wf (recO FO)). 

Theorem rec0_inv: (sp_eq (recO FO) (FO (recO FO))). 

Theorem rec0_uniq: 

(rO : (samplStr A c))(sp_eq rO (FO r0))->(sp_eq (recO FO) rO) . 



We have already seen some examples of single recursive streams using recO. 
The satisfaction of recursive preconditions for each of these examples has been 
proved in COQ. Most often, these proofs have been completely discharged by the 
COQ prover using a la prolog resolution on a basis of lemmas containing prop- 
erties of each LS operator with respect to length-fail-preservation and partial 
wellformedness . 



4.2 Other Recursive Constructions 

The recO operator can also be used to express mutually recursive streams of 
LS, by putting each mutually recursive occurrence as a parameter of a simple 
recursive stream and linking mutual recursion by hand. Hence, expressing such 
mutual definitions of LS in COQ need some syntactic treatment, but it seems 
automatable. In order to prove that such “mutually recursive definitions” satisfy 
the preconditions of recO, we have proven that recO has itself a good behavior 
with respect to length- fail-preservation and partial wellformedness (see |BH01| L 
Actually, all the previous properties of recO are specialized properties of a 
more general operator red. This operator has type: 



reel: (A,B:Set; C : (B->clock) ) 

(( (x:B) (samplStr A (C x) ))-> (x:B) (samplStr A (C x))) 
->(x:B) (samplStr A (C x)) 



Thus, it allows building recursive functions of type (x:B) (samplStr A (C x)) 
where B is any type. Motivations and formal encoding of red are given in |BH01| . 



5 Conclusion 

We have here established an embedding of LS into COQ, preserving the semantics 
of strongly typed functional languages with polymorphism, dependent types, and 
streams: 

• streams of LS are represented by sampled streams in COQ. 

• functions of LS are represented by functions of COQ. 

• clock concepts (polymorphism, dependent types) of LS are represented by 
the equivalent type concepts in COQ. 
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This result strengthens both LS and COQ. Indeed, it shows that LS can be de- 
rived naturally from a more general language. It also shows that COQ coinductive 
part is powerful enough to represent programs from the real world. 

As a consequence, LS programs can be almost syntactically embedded into 
COQ. Actually, this embedding requires expliciting some clock and types param- 
eters to COQ (especially because in COQ, there is no automatic generalization 
over polymorphic variables), but it would be easy to automate this translation, 
using LS typecheker. Indeed, most of the clock inference of LS is already done 
by the type inference of COQ. We have illustrated this point on some examples 
along the papeiEl 

Currently, automation for building proofs of the validity of LS programs 
(length-fail-preserving and partial wellformedness increasing) is not very pow- 
erful: we only use a la prolog resolution as a good basis of lemmas. We could 
probably use the compiler analyses to produce these proofs more efficiently. COQ 
typechecker would just have then to check their correction. Hence, an application 
to this work, could be to certify the validity of LS programs. 

Then, it would be interesting to build tools for proving general properties on 
LS programs into COQ. This could lead us to define a notion of “synchronous 
property”. Indeed, we may find a logic following Curry-Howard isomorphism such 
that proofs in this logic are synchronous functions, and then have a theorem of 
realizability for this logic. It would provide a good framework for synthesizing 
proofs from programs following Parent approach [Par95IJ . 

Another application to this work could be to prove the correction of a LS 
compiler. It may consist in proving that the compiler satisfies the denotational 
semantics presented here. In particular, it would require to prove that the op- 
erational semantics of LS (using co-iteration | |CP98| 1 refines this denotational 
semantics. 
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Abstract. The EPGY Theorem-Proving Environment is designed to 
help students write ordinary mathematical proofs. The system, used in a 
selection of computer-based proof-intensive mathematics courses, allows 
students to easily input mathematical expressions, apply proof strate- 
gies, verify logical inference, and apply mathematical rules. Each course 
has its own language, database of theorems, and mathematical inference 
rules. The main goal of the project is to create a system that imitates 
standard mathematical practice in the sense that it allows for natural 
modes of reasoning to generate proofs that look much like ordinary text- 
book proofs. Additionally, the system can be applied to an unlimited 
number of proof exercises. 



1 Introduction 

The Education Program for Gifted Youth (EPGY), at Stanford University, is an 
ongoing research project developing computer-based courses and offering them 
to students via distance learning. We offer courses in mathematics and other 
subjects and target pre-college students of high ability. The EPGY Theorem- 
Proving Environment is a tool used in EPGY’s proof-intensive mathematics 
courses. Whereas other computer tools for teaching mathematics (for example, 
graphing calculators and “dynamic geometry tools”) emphasize experimental 
and inductive approaches, the EPGY theorem-proving environment aims to pre- 
serve the traditional emphasis on deductive reasoning in mathematics. In doing 
so, the system aims to come as close as possible to “standard mathematical 
practice” , both in how the final proofs look and in the kinds of methods used to 
produce them. In particular, we expect the student to make the kinds of steps 
normally present in student proofs. The system works to verify the students’ log- 
ical reasoning and generate and prove “obvious” side conditions that are needed 
for a correct formal proof but which are routinely omitted in standard practice. 

Our use of the Theorem Proving Environment emphasizes teaching mathe- 
matics, and we strive to avoid, as much as possible, having to teach a complete 
logic course or to require lengthly tutorials in how to use a specialized tool. 
Also, students need to transition in and out of the mainstream curriculum as 
they move in and out of our program, so we want our courses to look as ordinary 



R. Nieuwenhuis and A. Voronkov (Eds.): LPAR 2001, LNAI 2250, pp. 507 45161 2001. 
(c) Springer- Verlag Berlin Heidelberg 2001 



508 



D. McMath, M. Rozenfeld, and R. Sommer 



as possible while allowing for the use of the Theorem Proving Environment. Cur- 
rently the system is being used by students in courses in Euclidean geometry and 
linear algebra, and it is scheduled for use in courses in calculus and differential 
equations. 



2 Background and Related Work 

EPGY is an outgrowth of earlier projects at Stanford in computer-based educa- 
tion dating back to the 1960s. Currently, EPGY offers courses in mathematics 
from first grade through much of the undergraduate mathematics curriculum. 
All of these courses are computer-based and self-paced; they consist of multi- 
media lectures and interactive exercises. These courses are offered to pre-college 
and college students of high ability as part of a distance-learning program. 

Work on interactive theorem proving at EPGY’s predecessor, the Institute 
for Mathematical Studies in the Social Sciences, dates back to the early 1960s 
with the use of an interactive theorem prover for the teaching of elementary logic 
to elementary- and middle-school children. With the advent of more powerful 
automated proof-checking systems, interactive proof systems for uni versify- level 
logic and set theory were created. These proof systems formed the core compo- 
nent of the Stanford logic course starting in 1972 and the Stanford set theory 
course starting in 1974 [S]. 

Work on derivation systems for mathematics courses began in 1985 as part 
of a project to develop a computer-based course in calculus. This work consisted 
of three parts. The first part was the formulation of a formal derivation system 
for differential and integral calculus |2]. The second part was an attempt to in- 
tegrate the core of the set theory proof system with the symbolic mathematical 
program REDUCE m- The third part focused on interactive derivations of 
the standard problems in the first year of calculus. Because this system incor- 
porated only a rudimentary knowledge of logic, it was not suitable for proving 
any fundamental theorems |6]. 

3 A Description of the Theorem Proving Environment 

In the EPGY Theorem Proving Environment, a proof consists of a sequence 
of proof steps, each of which consists of a mathematical statement and a jus- 
tification line. Although displayed sequentially, proof steps are represented in 
tree-form, according to the dependencies of proof steps that are entered as as- 
sumptions. Steps that are given initially, entered as assumptions, or taken from 
the course-specific database of axioms, definitions, and theorems, are immedi- 
ately recognized as proved. When a newly generated step is shown to follow from 
already proved statements, it is marked as proved. The initial state of the proof 
includes a “final goal”, and the proof is complete when the final goal is proved. 
(See the EPGY Theorem Proving Environment User Manual [3j.) 
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The student composes a proof by selectively applying an assortment of tools 
for creating and justifying proof steps. He or she may apply a logical rule (Sec- 
tion |T4] below), enter an assumption or apply a proof strategy f Section l3.Hl . 
apply a mathematical rule (Section 13.21) . or simply type in a new statement and 
ask the system to verify that it follows from some other step(s) (Section 13.31) . 

Many of the rules and strategies can be applied in the backward as well as 
the forward direction. There are typically many rules that can be applied to a 
particular proof step, allowing for an unlimited variety of paths to a complete 
proof. Although the system includes a complete set of natural deduction rules, 
when teaching students to use the system we focus on those that are commonly 
used in mathematical practice and those that are generally advantageous in our 
logical framework. 



3.1 Proof Strategies 

The theorem-proving environment encourages structured theorem proving. In 
particular, students can apply a variety of common proof strategies. These strate- 
gies include conditional proof, biconditional proof, proof by contradiction, proof 
by cases, and proof by induction. 

Students can apply these strategies in the forward and backward directions. 
For example, in order to develop a conditional proof in the forward direction, 
the student can insert an assumption, proceed to a goal, and then discharge 
the assumption to obtain a statement of the form “assumption implies goal.” 
Alternatively, using the conditional proof strategy in the backward direction on a 
conditional statement generates a conditional proof format where the hypothesis 
of the conditional appears as an assumption and the conclusion of the conditional 
appears as the proof goal. 

Proof strategies are represented using Fitch-style diagrams, so the student 
can easily keep track of what assumptions are available at a given location in 
the proof. 



3.2 The EPGY Derivation System 

For the application of mathematical rules, the Theorem Proving Environment 
uses the EPGY Derivation System |^, a tool that has been used in standard 
algebra and calculus derivations in EPGY courses for over six years. The EPGY 
Derivation System is an environment in which students can manipulate equa- 
tions, inequalities, and individual terms by applying built-in mathematical infer- 
ence rules or term-rewriting rules. The Derivation System is an important tool 
for generating new proof steps from old ones because it allows the student to 
flesh-out a claim like “it follows from simple computation that. . . .” 

In a typical use of the Derivation System within the Theorem Proving En- 
vironment, the student first selects a term or formula he or she would like to 
manipulate, possibly selects some other proof steps he or she thinks might be 
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relevant, and finally invokes the Derivation System. Within the Derivation Sys- 
tem, the term or formula of interest appears in the “working” area and other 
relevant facts appear as side-conditions. 

Inside the Derivation System, the student essentially manipulates a formula 
by selecting a subexpression of the “working” expression and invoking one of the 
rules. (Available rules are determined by the student’s location in the course.) 
Most rules provide simple algebraic manipulations of existing terms, but many 
involve side-conditions. For instance, the student may divide both sides of an 
equation by x, but only if a; is a nonzero scalar. As another example, the student 
may left-multiply both sides of an equation by a matrix A, but only if A has 
the correct number of columns. Or a student may replace the matrix B by the 
matrix BAA~^, provided A is an invertible matrix with the correct number 
of rows. The Derivation System keeps track of side-conditions and does some 
checking to decide whether a new condition follows from existing ones. Mostly, 
though, the System merely reports extra side-conditions back to the Theorem 
Proving Environment, which treats them as new proof obligations. In this regard, 
the Derivation System is quite different from a normal computer algebra system. 

The Derivation System has only the most rudimentary capacity to deal with 
quantified variables, and its assumptions about terms’ definedness are very re- 
strictive (in contrast with the larger Theorem Proving Environment; see Sec- 
tion |4). Furthermore, a student has very little flexibility to enter brand-new 
terms. These simplifications are in line with the idea that the Derivation Sys- 
tem should carry out the purely “computational” part of the proof. By virtue of 
these logical simplifications, though, a good student can move rapidly to trans- 
form even complicated terms to reach a desired goal. 



3.3 Logical Verification 

A student may enter a statement as a goal and propose that it follows from some 
other steps. In listing the justifications of a statement, the student may include 
other steps from the proof or choose from a database of axioms, definitions, 
and theorems. As students progress through the course and learn new axioms, 
definitions, and theorems, they gain the ability to apply them in their proofs. 

When the Environment tries to verify the inference, it calls ^on the au- 
tomated reasoning program Otter |S] written by William McCunclj. The Envi- 
ronment passes Otter the justifications as given statements and asks it to prove 
the proof step using strategies that seem appropriate. If Otter is successful, the 
proof step is marked as “provable” from the justifications (or “proved”, if the 
justifications are themselves proved). If it is unsuccessful, the proof step is un- 
changed. In some cases, when Otter returns unsuccessfully, the student is asked 
whether he or she would like to “try harder”. This happens when the system 
has identified that the goal might lend itself to some alternative Otter strategy. 

^ Given that all EPGY students use the Microsoft Windows operating system, the 
DOS version of Otter is the most suitable automated reasoning system to back our 
logical-verification tool. 
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We are constantly identifying and developing alternative strategies for Otter, so 
this feature changes frequently. 

Our use of Otter is intended to mimic an intelligent tutor looking over the 
student’s shoulder and saying “I agree that this follows simply” without the 
student having to explain all the painful details. The feature allows a student to 
make logical inferences that would perhaps involve several steps in a detailed, 
formal proof. To keep the system from accepting large leaps of logic, we limit 
Otter by allowing it only a few seconds to search for a proof (typically around 
five seconds). Our experience shows that very often Otter can verify reasonable 
inferences using our default strategy and time limit. Of course, success depends 
on many factors, and it is easy to find proof steps and justifications that seem 
reasonable but are not verified in the allotted time. We continually tinker with 
Otter’s strategies, trying to refine its ability to verify “obvious” inferences but 
reject more complicated ones; we intend to use student data to help classify 
“obvious” statements more precisely. 

As described below in Section E] the Theorem Proving Environment presents 
the student with a multi-sorted logic of partial terms with some variables ranging 
over functions and other higher-order objects. Otter’s logic, on the other hand, 
is single-sorted, total, and first-order. So we were forced early on to develop a 
translation from the students’ language in the Theorem Proving Environment 
into statements in standard first-order logic. Some aspects of the translation are 
mentioned in Section E] 

A drawback to using Otter (and the incumbent translation) for our auto- 
matic verification is that the student is not given any information as to why an 
inference has been rejected. An inference may be rejected because it represents 
too big a step of logic, because the justifications do not imply the goal, or be- 
cause our strategies are insufficient for Otter to complete the verification. Merely 
examining Otter’s output, it is difficult to decide which is the reason for a fail- 
ure. We will examine student data to try to classify common rejections and then 
program the Environment to give advice. For now, however, the expectation is 
that the student will study the inference, perhaps break it down into smaller 
steps, perhaps add some justifications, and perhaps change the statement being 
verified. 



4 Logical Framework 



Students using the EPGY Theorem Proving Environment work in a multi-sorted 
logic of partial terms with function variables, built-in operations on functions, 
and overloading of function symbols and relation symbols. Each course that 
uses the theorem proving environment has its own types, function and relation 
symbols, and conditions for definedness of functions. We have a proof that this 
logical framework is sound, modulo the soundness of Otter and the correctness 
of the other external systems that we use for the automatic verification of proof 
obligations, as described below. 
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4.1 Definedness and the Strong Interpretation 

For each function symbol included in the language for a course, the system re- 
quires an author-coded definedness condition. Relations on terms are interpreted 
in the strong sense; in particular, the relation 

i?(ri, ...,Tn) 

as expressed in the “display language” of the students’ world, is understood 
internally to state 

i?(ri, . . . , T„)& Ti I & . ..k Tn i 

where r is the formula obtained by unraveling the definedness conditions of 
the functions in r. 



4.2 Quantifiers and Types 

Since the Theorem Proving Environment uses a logic of partial terms, quantified 
variables range only over defined terms. Furthermore, it uses a multi-sorted 
language to ensure that quantified variables range only over terms of a particular 
type. For instance, in a linear algebra course, where “A” is a variable whose sort is 
“matrix”, a theorem about matrices might be stated “V A <p{Ay\ To instantiate 
such a theorem, a student would need to provide a term denoting a matrix: a 
term such as “1 -I- 2” would not be allowed at all because 1 -I- 2 is not a matrix. 

Sorts are not the only tool for describing types; there are explicit relations, 
too. For each type T, the Theorem Proving Environment includes a relation 
“is a T” . The type-relations sometimes appear explicitly as proof obligations. 
Most type conditions are purely syntactic and are automatically either accepted 
or rejected by the system. Some are harder to decide and are left to the student 
as proof obligations ISection f4.dl) . An example of a “harder” type condition is 
deciding whether or not (a -I- bi)(c + di) is an real number, where a, b, c, and d 
are reals. To justify the proof obligation “(a -I- bi ) (c -I- di) is a Real” , the student 
might invoke a theorem that this is true when ad + be = 0. 

There is one other important use of our type-relations. When theorems are 
passed to Otter as justifications or goals, they must be translated from the 
multi-sorted language of the Theorem Proving Environment into something 
Otter can understand. The usual translation of the theorem “V A ^(A)” is 
“V A (A is a Matrix — >■ ^'(A))” (where </>' is a translation of the formula (f>). 

4.3 Proof Obligations 

In enforcing the strong interpretation of relations, the Theorem Proving Environ- 
ment generates many extra formulas, or “proof obligations” , which the student 
must justify in order to complete his or her inferences. Many such formulas are 
simply added to the proof as new proof lines. For instance, if a student wants to 
instantiate “V A <(>(A)” with the matrix B~^, he or she will need to prove that 
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B is an invertible matrix. This is simply added as a new proof goal; it is the 
student’s responsibility to justify the statement. 

Whenever a new proof obligation is generated, the Environment does some 
simple checking to see whether it is “obvious” before adding a new proof step. 
It may call Otter or do some other internal processing. The purpose of this 
checking is to keep the proof from becoming cluttered with simple, obvious facts. 
We think of such obvious facts as being the type of “hidden assumption” that 
is often wrapped up in a statement in an ordinary mathematics textbook. 

4.4 Proof Rules 

The Theorem Proving Environment provides several rules that create and justify 
proof steps. The student can instantiate a quantified statement, use generaliza- 
tion in the forward or backward direction, and substitute for equals or expand 
definitions in the forward or backward direction. In this section, we describe 
some of these rules, focusing on how they relate to our multi-sorted logic of 
partial terms. 

Universal instantiation is a fairly simple rule. Using a statement V x 
the student supplies a new term r to conclude As part of this action, the 

Theorem Proving Environment may require extra proof obligations about the 
definedness or type of r. 

The student may use universal generalization in either the forward or the 
backward direction. From a statement 

( 1 ) 

where a; is a free variable, the student may conclude 

V X (j>{x). ( 2 ) 

The student is working “backwards” if he or she starts with statement © and 
creates statement ([TJ; in this case, step (EJ is marked “Provable assuming dU” 
and will become “Proved” when © is justified. The student is working “for- 
wards” if he or she starts with statement © and generates statement (ED as a 
conclusion. 

Existential generalization and existential instantiation are dual operations 
to universal instantiation and universal generalization, respectively. They may 
generate appropriate proof obligations, and existential generalization can be used 
in either the forward or the backward direction. 

Students have two other tools for creating new proof lines from old ones. 
Using the “substitute” rule and a statement of the form 7 — r = cr (or a similar 
statement with a quantifier), the student can create a new proof line </'(cr) from 
the line </>(r). The Environment will require 7 as a proof obligation. The “expand 
definition” rule works similarly, except that it starts with a statement of the form 
V X {R{xi, ...,Xn)^ (f)). 

When using substitution or definition expansion from a quantified statement, 
we must be careful not to apply the rule to an undefined term. So, for instance. 
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if the student tried to use the substitution rule V a; (a; ^ 0 — ?> | = 1) to 
make a substitution from the Environment would generate proof obligations 
from both r ^ 0 (the hypothesis of the formula) and t (to account for the 
instantiation) . 

4.5 Higher Types 

As mentioned earlier lSection ld.dll . the Theorem Proving Environment uses Otter 
to check some verifications, and Otter uses a first-order language. The language 
of the Theorem Proving Environment, however, has variables ranging over func- 
tions and other higher types. Some aspects of this higher-order logic are easy to 
translate for Otter, but others are more difficult. 

Simple function- valued variables are handled relatively easily. We simply add 
an “apply” functioi0 to the language of the Theorem Proving Environment. 
The definedness condition of a term “apply(/, a;)” is essentially “a; is in the 
domain of /” , so the Theorem Proving Environment has such a binary relatior[f]. 
Given these operations, functions become first-class objects, so it is easy to 
translate them for Otter. Since we control the vocabulary of the Theorem Proving 
Environment, we can handle explicit higher-order functionals similarly. 

We also handle the more complicated case where an operation on functions 
is applied to an open term that implicitly defines a function. For example, the 
simple term (defining the trace of the n x n-matrix A) is inter- 

preted as “sum(l, n, /)”, where / is the function defined by f{k) = Ak,k- Other 
expressions, like “the m x n-matrix whose (i, j)-th entry is and sin(a;)”, 
require functions implicitly defined by terms. As part of its translation for Otter, 
our system needs to extract these functions and give them explicit descriptions. 
As an illustration, we give the details of how summation is translated. 

Example: Summation. In translating the formula (X)fc=m '^(^))> 
sume that the term r does not contain any summations. We will replace the 
summation-term with an equivalent one without changing the rest of the for- 
mula. 

We create a new function- variable / and add the axioms 
V k {T{k) f{k) = r(fc)) , 

V k (r(fc) 4,— >■ k is in the domain of /) 

(where “r(fc) j,” represents the formula obtained by unraveling all the definedness 
conditions for functions appearing in r(fc)). Then the original formula can be re- 
placed by (j) (sum(m, n, /)). The definedness condition for the term sum(m, n, f) 
function is 

V k (m < fc < n — > A: is in the domain of /) . 

^ Technically, we need a separate apply function for unary functions, binary functions, 
etc., because Otter does not support functions with variable numbers of arguments. 
® Technically, binary, ternary, etc. relations. 
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In fact, this is an unwieldy translation, especially if the formula contains 
many nested summations (we work inside-out in that case). Otter can directly 
verify only the simplest statements about summation, so the student typically 
needs the Environment’s other tools to write proofs about summations. 



5 Student Use 

Presently, the Theorem Proving Environment is being used in EPGY’s geometry 
and linear algebra courses, and it will be incorporated into the EPGY multi- 
variable calculus and differential equations courses later this year. The proof 
environment has been used by approximately 60 students in the geometry course. 

In our geometry course students are able to prove theorems about incidence, 
parallel, betweenness and congruence (including some of the basic triangle con- 
gruence theorems) in a version of Hilbert’s axioms of geometry. In the linear 
algebra course the system is capable of theorems in matrix algebra and theo- 
rems about eigenvalues and eigenvectors. In calculus, the system can be used for 
basic continuity theorems; for example, that the sum of two continuous functions 
is continuous. 

The history of the students’ actions are recorded so that we can “play back” 
a student’s proof from start to finish, displaying all steps including those that 
were deleted by the student. Using this feature, we have had the opportunity 
to examine many students’ proofs. The analysis of these proofs has influenced 
both the development of the system and our presentation of the material in our 
courses. 

6 Future Directions 

The main goal of the Theorem Proving Environment project is to develop a 
system that imitates, both in construction and final form, the proofs of “standard 
mathematical practice” . For this reason, many of our directions of future study 
will focus on how to make the Theorem Proving Environment a more natural 
tool for students. 

One clear area to target for improvement is the system’s ability to automati- 
cally discharge “obvious” proof obligations. Because of the way proof obligations 
are generated, it is often the case that another statement within the proof would 
be helpful as a justification. Glassifying exactly when a statement is “relevant” 
will be a very difficult task, but some initial experiments have shown that we 
can improve Otter’s performance by first scanning through the proof with some 
very basic algorithms. 

As a further aid in discharging proof obligations, we are studying more ex- 
tensive use of computer algebra systems. We currently use Maple V, Release 5.1, 
to automatically check some obligations that appear to involve only algebraic 
computations. This has been a successful strategy so far, but one drawback is 
that most computer algebra systems (Maple included) were designed for effi- 
cient computation and not necessarily for logical soundness so we need to be 
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very careful when we use them. Nevertheless, when used appropriately, Maple in 
particular can quickly decide many questions which give Otter great difficulty. 

Given that proof obligations are often generated in a restricted, decidable 
fragment of a mathematical theory, we intend to investigate the use of decision 
procedures for these cases. For example, in linear algebra and analysis, it is 
common to generate proof obligations that are expressed as order relations on 
linear terms with integer coefficients. Additionally, we may incorporate such 
decision procedures into the verification process directly, in cases where we can 
automatically determine that they apply. 

In a further effort to make our students’ proofs more natural, we would also 
like to improve our treatment of higher types. At the moment, our built-in tools 
deal fairly well with functions and operations on functions. When we need to 
translate higher-order objects for Otter, however, the statements quickly become 
very complicated, so some seemingly simple statements are hard to verify. This 
will be an increasing problem as we develop our differential calculus course. We 
plan to continually improve and simplify our translation, but we will also consider 
using provers based on higher-order logic. In principle, our system can use any 
number of automated reasoning systems for logical verification; however, given 
the limitation resulting from our use of Microsoft Windows, most higher-order 
provers (e.g., PVS, HOL, ACL2, etc.) are not available for our immediate use. 



References 

1. Barwise, B. & Etchemendy, J. (1999). Language, Proof and Logic. Seven Bridges 
Press. New York. 

2. Chuaqui, R. & Suppes, P., (1990). An equational deductive system for the differ- 
ential and integral calculus. In P. Martin-Lof & G. Mints, (Eds.), Lecture Notes in 
Computer Science, Proceedings of COLOG-88 International Conference on Com- 
puter Logic (Tallin, USSR). Berlin and Heidelberg: Springer Verlag, pp. 25-49. 

3. Education Program for Gifted Youth (EPGY). Theorem Proving Environment 
Overview, http : / / epgy . Stanford . edu/TPE. 

4. Hearn, A. (1987). Reduce user’s manual, Version 3.3. (Report GP 78). The RAND 
Gorporation. Santa Monica CA. 

5. McGune, William. Otter 3.0 reference manual and guide. Technical Report ANL- 
94/6. Argonne National Laboratory. January 1994. 

6. Ravaglia, R. (1990). User’s Guide for the Equational Derivation System. Education 
Program for Gifted Youth, Palo Alto. 

7. Ravaglia R., Alper, T. M., Rozenfeld, M., & Suppes, P. (1998). Successful Applica- 
tions of Symbolic Gomputation. In Human Interaction with Symbolic Computation, 
ed. N. Kajler. Springer- Verlag, New York, pp. 61-87. 

8. Sieg, W., & Byrnes, J. (1996). Normal Natural Deduction Proofs (in classical logic). 
Tech-report GMU-PHIL-74. Department of Philosophy, Carnegie Mellon Univ., 
Pittsburgh, PA 15213. 

9. Suppes, P. (Ed.). (1981). University-level computer- assisted instruction at Stanford: 
1968-1980. Stanford, CA: Institute for Mathematical Studies of the Social Sciences, 
Stanford University. 

10. Suppes, P. & Takahashi, S. (1989). An interactive calculus theorem-prover for 
continuity properties. Journal of Symbolic Computation, Volume 7, pp. 573-590. 




On Termination of Meta-programs 



Alexander Serebrenik and Danny De Schreye 



Department of Computer Science, K.U. Leuven 
Celestijnenlaan 200A, B-3001, Heverlee, Belgium 
{Alexander . Serebrenik , Danny . DeSchreye}@cs . kuleuven .ac.be 



1 Introduction 

The term meta-programming refers to the ability of writing programs that have 
other programs as data and exploit their semantics |4] . The choice of logic pro- 
gramming as a basis for meta-programming offers a number of practical and the- 
oretical advantages. One of them is the possibility of tackling critical foundation 
problems of meta-programming within a framework with a strong theoretical 
basis. Another is the surprising ease of programming. These reasons motivated 
an intensive research on meta-programming inside the logic programming com- 




On the other hand, termination analysis is one of the most intensive research 
areas in logic programming as well. See |12| for the survey. More recent work on 
this topic can be found among others in I14I18I20I24I301 . 

Traditionally, termination analysis of logic programs have been done either 
by the “transformational” approach or by the “direct” one. A transformational 
approach first transforms the logic program into an “equivalent” term-rewrite 
system (or, in some cases, into an equivalent functional program). Here, equiva- 
lence means that, at the very least, the termination of the term-rewrite system 
should imply the termination of the logic program, for some predefined collection 
of querieqj. Direct approaches do not include such a transformation, but prove 
the termination directly on the basis of the logic program. In |25j we have devel- 
oped an approach that provides the best of both worlds: a means to incorporate 
into “direct” approaches the generality of general term-orderings. 

The aim of this paper is presenting a methodology allowing us to perform a 
correct termination analysis for a broad class of meta-interpreters together with 
different classes of object programs. Unlike the previous work on compositional- 
ity of termination proofs [2] the approach presented allows a simple reuse of the 
termination proof of the object program for the meta-program. 

This methodology is based on the “combined” approach to termination anal- 
ysis mentioned above. 

^ The approach of Arts j5j is exceptional in the sense that the termination of the logic 
program is concluded from a weaker property of single-redex normalisation of the 
term-rewrite system. 
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Example 1. Our research has been motivated by the famous “vanilla” meta- 
interpreter Mq, undoubtly belonging to logic programming classics. 

solve(true). 

solve((Atom, Atoms)) ■(— solve(Atom),solve( Atoms). 

solve{Head) ^ clause{Head,Body),solve{Body). 

Termination of this meta-interpreter, presented in Example [T] has been studied 
by Pedreschi and Ruggieri. They proved, that LD-termination of the goal G with 
respect to a program P implies LD-termination of the goal solve{G) with respect 
to Mo and P (Corollary 40, [23]). However, we claim more: the two statements 
are equivalent, i.e., the goal G LD-terminates with respect to a program P if 
and only if the goal solve{G) LD-terminates with respect to Mq and P. □ 

In order for meta-interpreters to be useful in applications they should be 
able to cope with a richer language than the one of the “vanilla” meta- 
interpreter, including, for example, negation. Moreover, typical applications of 
meta-interpreters, such as debuggers, will also require producing some additional 
output or performing some additional tasks during the execution, such as con- 
structing proof trees or cutting “unlikely” branches for an uncertainty reasoner 
with cutoff. These extensions can and usually will influence termination proper- 
ties of the meta-interpreter. 

By extending the suggested technique [25j to normal programs, we are 
able to perform the correct analysis of a number of (possibly extended) meta- 
interpreters, performing tasks as described above. We identify popular classes of 
meta-interpreters, such as extended meta-interpreters [22j . and using this tech- 
nique prove that termination is usually improved. We also state more generic 
conditions implying preservation of termination. 

The rest of this paper is organised as following. We start by some prelimi- 
nary remarks and basic definitions. Then, we present the methodology developed 
applied to the “vanilla” meta-interpreter. Afterwards we show how the same 
methodology can be applied for more advanced meta-interpreters and conclude. 

2 Preliminaries 

A quasi- ordering over a set S' is a reflexive and transitive relation > defined on 
elements of S. If neither s > t, nor t > s we write s||t. An ordered set S is said 
to be well-founded if there are no infinite descending sequences Si > S 2 > • • • of 
elements of S. If the set S is clear from the context we will say that the ordering, 
defined on it, is well-founded. 

We follow the standard notation for terms and atoms. A query is a finite 
sequence of atoms. Given an atom A, rel{A) denotes the predicate occurring in A. 
Termp and Atomp denote, respectively, sets of all terms and atoms that can be 
constructed from the language underlying P. The extended Herbrand Universe 
Up (the extended Herbrand base Bp) is a quotient set of Termp (Atomp) 
modulo the variant relation. 
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We refer to an SLD-tree constructed using the left-to-right selection rule of 
Prolog, as an LD-tree. We will say that a goal G LD-terminates for a program 
P, if the LD-tree for (P,G) is finite. 

The following definition is borrowed from [1]. 

Definition 1. Let P be a program and p, q be predicates occurring in it. 

— We say that p refers to 9 in P if there is a clause in P that uses p in its head 
and q in its body. 

— We say that p depends on g in P and write p^ q, if {p, q) is in the transitive, 
reflexive closure of the relation refers to. 

— We say that p and q are mutually recursive and write p — q, if p ^ q and 
9 3 P- 

We also abbreviate p □ g, 5 3 P by p □ 9. 

Results for termination of meta-interpreters presented in this paper are 
based on notion of order-acceptability, introduced in 1251 . This notion of order- 
acceptability generalises the notion of acceptability with respect to a set m in 
two ways: 1) it generalises it to general term orderings, 2) it generalises it to 
mutual recursion, using the standard notion of mutual recursion [T] — the orig- 
inal definition of acceptability required decrease only for calls to the predicate 
that appears in the head of the clause. This restriction limited the approach to 
programs only with direct recursion. 

Before introducing the order-acceptability we need the following notion. 

Definition 2. Let P be a definite program and S be a set of atomic queries. 
The call set, Call{P,S), is the set of all atoms A, such that a variant of A is a 
selected atom in some derivation for PU {•<— Q}, for some Q G S and under the 
left-to-right selection rule. 

Definition 3. Let S be a set of atomic queries and P a definite program. P 
is order-acceptable with respect to S if there exists a well-founded ordering >, 
such that 

— for any A G Call{P, S) 

— for any clause A' ^ Bi, ... , Bn in P, such that mgu(3. A'} = 9 exists, 

— for any atom B^, such that rel(Bi) ~ rel{A) 

— for any computed answer substitution a for G- (Pi, . . . , Pi_i)0; 

A > BiOa 

In |25| we prove the following theorem. 

Theorem 1. Let P be a program. P is order- acceptable with respect to a set of 
atomic queries S if and only if P is LD-terminating for all queries in S. 

We discovered in that order-acceptability is a powerful technique, able to 
analyse a wide variety of programs, such as normalisation derivative US: 
bid [lUj . and credit evaluation expert system [28] to mention a few. In this paper 
we will see that order-acceptability plays a key role in analysing termination of 
met a-programs . 
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3 Basic Definitions 

In this section we present a number of basic definitions. We start by defining 
the kind of program we call a meta-program. Then we introduce two semantic 
notions that relate computed answers of the interpreted program and of the 
meta-program and conclude by discussing an appropriate notion of termination 
for meta-interpreters. 



3.1 Interpreted Programs and Meta-programs 

In this subsection we define the notion of a meta-interpreter, that is a program 
having another program as data. We’ve seen already in Example [TJthat the input 
program is represented as a set of atoms of the predicate clause. We call this 
representation a clause- encoding and define it formally as following. 

Definition 4. Let P be a program. The clause-encoding ^ce{P) is a collection 
of facts of a new predicate clause, such that clause{H,B) G jce(P) if and only if 
H B is a clause in P. 



Example 2. Let P be the following program: 

p{a). p{X) ^ q{X). q{b). 

Then, the following program is jceiP)' 

clause{p{a) , true) clause(p(X), q(X)). clause(q(b) , true) . 



□ 

A meta-interpreter for a language is an interpreter for the language written 
in the language itself. We follow [25] by using a predicate solve for the meta- 
interpreter. 

Definition 5. The program P is called a meta-program if it can be represented 
as M U I , such that: 

— M defines a predicate solve that does not appear in I. 

— I is a clause-encoding of some program P' . 

M is called the meta-interpreter. P' is called the interpreted program. 

We also assume that , /2 and clause/2 do not appear in the language un- 
derlying the interpreted program. Observe, that if this assumption is violated, 
clear distinction between the meta-interpreter and the interpreted program is no 
longer possible. 
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3.2 Soundness and Completeness of Meta-interpreters 

Now we are going to define the notions of soundness and completeness for meta- 
interpreters, that will relate computed answers of the interpreted program to the 
computed answers of the meta-program. 

Definition 6. The meta-interpreter M is called sound if for every program P, 
every goal Gq G Bp and every Hi, , Hn G 

— if solve{tQ,ti, . . . ,tn) is a computed answer for some 
{solve{Go, Hi, . . . , Hn)} U M Ujce{P) 

— then to is a computed answer for {Go} U P. 

Note that Hi, ... , Hn are extra arguments of solve that support added func- 
tionality (see Example [3 below) . The definition of soundness, as well as further 
definitions require some property to hold for all programs. Correctness of these 
definitions does not depend on the class of the programs considered. However, 
constructing meta-interpreters that will satisfy the properties required for all 
Prolog programs can be difficult. Thus, we start by restricting the class of pro- 
grams considered to definite logic programs. In Section [H we study a broader 
class of programs. 

Definition 7. The meta-interpreter M is called complete if 

— for every program P and every goal Gq G Bp 

— if to is a computed answer for {Go} U P, then 

• for every Hi,...,HnGlI^ 

• if there exist si, . . . , s„ such that solve{so, si, . . . , Sn) is a computed an- 
swer for {solve{Go, Hi,..., Hn)} U M U 7ce(P) 

• then there exist ti,...,t„ such that solve{to,ti, . . . ,tn) is a computed 
answer for {solve{Go, Hi, . . . , Hn)} U M U 7ce(P)- 

Example 3. The following meta-interpreter Mi is both sound and complete: 
solve{A) G- fail. It is sound, since there are no computed answers for ^ soIve(G). 
It is also complete, since si,...,s„ required in Definition |3 do not exist. The 
“vanilla” meta-interpreter Mq (Example HI) is also both sound and complete, as 
shown by Levi and Ramundo in m- 

The following meta-interpreter M 2 , mimicking the LD-refutation with 
bounded depth (the depth provided as the second argument) is sound, but is 
not complete. 

solve{true, 0). 

solve{{A, B) , N) g- solve{A, N) , solve{B , N) . 
solve{A, s{N)) G- clause{A,B),solve{B,N). 

It is intuitively clear why this meta-interpreter is sound. To see that it is not 
complete, let P be a program resented in Example|2] let Go be p{X) and let to be 
p{b). Then, given Hi = s(0) there exist si, such that solve{so, si) is a computed 
answer for {solve{Go, Hi)} U M U 7ce(P). Namely, si = s(0) and sq = p(a)- 
However, there exists no ti such that solve{p{b),ti) is a computed answer for 

{solve{Go,Hi)}U MU"fce{P)- n 
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3.3 Notion of Termination 

Recall that our aim is to study termination of meta-interpreters, that is termina- 
tion of goals of the form solve{Go, Hi,. , i?„), where Gq is a goal with respect 
to the interpreted program. Thus, the crucial issue is defining an appropriate 
notion of termination for meta-interpreters. 

For many applications, such as debuggers, the desired behaviour of a meta- 
interpreter is to preserve termination. However, there are many meta-interpreters 
that may change termination behaviour of the interpreted program, either by 
improving or by violating it. 

Definition 8. (non-violating LD-termination) 

1. Let M be a meta-interpreter defining solve with arity 1. M is called non- 
violating LD-termination if for every program P and every goal Gq G Bp if 
the LD-tree of {Go} LI P is finite, then the LD-tree of {soJve(Go)} U (M U 
lce{P)) is finite as well. 

2. Let M be a meta-interpreter defining solve with arity n-l-1, n > 0. M is called 

non-violating LD-termination with respect to S' C if for every pro- 

gram P and every goal Gq G Bp if the LD-tree of {Gq}LI P is finite, then for 
every sequence {Hi, . . . , H^) G S, the LD-tree of {solve{Go, Hi, ... , iL„)| U 
(M U7ce(^’)) is finite as well. 

It should be noted, that traditionally this feature is called improving termi- 
nation. However, this name is not quite successful, since by improving we do not 
mean that the meta-program terminates more often than the original one, but 
that it terminates at least as often as the original one. Thus, we chose to use 
more clear names. 

It also follows from the definition of non- violation that every meta-interpreter 
defining solve with arity greater than 1 does not violate termination with respect 
to the empty set. 

Example 4. Recall once more the meta-interpreters shown in Example El Mi 
does not violate termination, and M 2 does not violate termination with respect 
to {U^^y, that is with respect to □ 

Definition 9. (non-improving LD-termination) 

1. Let M be a meta-interpreter defining solve with arity 1. M is called non- 
improving LD-termination if for every program P and every goal soIve(Go) G 
^MOice(P)’ fip^l^P^ss of the LD-tree of {soIve(Go)} U {M U ^c.e{P)) implies 
finiteness of the LD-tree of {Gq} U P. 

2. Let M be a meta-interpreter defining solve with arity n -I- 1, n > 0. M 

is called non-improving LD-termination with respect to S' C if for 

every program P and every goal solve{GQ, Hi, . . . , Hn) G BmoicbIp)’ 

that {Hi, . . . , Hn) G S, finiteness of the LD-tree of {solve{Go, Hi, ... , iL„)}U 
{M U "fce{P)) implies finiteness of the LD-tree of {Gg} U P. 
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Example 5. The meta-interpreter Mi improves termination, while the meta- 
interpreter M 2 does not improve it w.r.t Vars, where Vars is a set of variables. 
□ 



Finally, we will say that a meta-interpreter M defining solve with arity n-l- 1 
is preserving termination {preserving termination with respect to S C 
if n > 0), if it is non- violating LD-termination (non- violating LD-termination 
with respect to S) and non-improving LD-termination (non-improving LD- 
termination with respect to S). The meta-interpreter Mq preserves termination 
and the meta-interpreter M 2 preserves termination with respect to Vars, that 
is if it is used to measure the depth of LD-refutation of a give goal, and not to 
bound it. In the next sections we prove these statements. 

4 Termination of “Vanilla” Meta-interpreter 

Termination of the “vanilla” meta-interpreter, presented in Example [T] has been 
studied by Pedreschi and Ruggieri. They proved, that “vanilla” does not vio- 
late termination (Corollary 40, |23jL However, we can claim more — this meta- 
interpreter preserves termination. 

We base our proof on soundness and completeness of “vanilla” , proved in [19] . 
Observe that in general soundness and completeness are not sufficient for the 
calls set to be preserved. Indeed, consider the following example, motivated by 
the ideas of unfolding . 

Example 6. The following meta-interpreter M 3 eliminates calls to undefined 
predicates. 

solve{true) . 

solve{{A, B)) solve{A) , solve{B) . 
solve{A) ^ clause{A,B),check{B),solve{B). 



check((A, B)) <r- check(A) , check(B) . 
check(A) <— clause(A, _). 

This meta-interpreter is sound and complete, i.e., preserves computed an- 
swers. However, it does not preserve termination. Indeed, let P be the following 
program [B]: 

p-(—q,r. t-(—r,q. q q- 

and let p be the goal. Then, p with respect to P does not terminate, while 
^ solve{p) with respect to M 3 U jce{P) terminates (finitely fails). Thus, this 
meta-interpreter does not preserve LD-termination. Observe, that unfolding 
may only improve termination [Sj, thus, this meta-interpreter is improving LD- 
termination. □ 

Thus, we need some additional result, claiming that the “vanilla” meta- 
interpreter preserves the calls. 
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Lemma 1. Let P be an interpreted program, Mq be the vanilla meta-interpreter 
and G € Bp, then 

{solve{A) I A e Call(P,G)} = 

Call{Mo U "fce(P) , solve(G)) fl {solve(A) \ A G Bp} 

where = means equality up to variable renaming. 

Proof. For all proofs we refer to [2^. ■ 



Theorem 2. Let P be a definite program, S a set of queries, and Mq the vanilla 
meta-interpreter, such that Mq U jceiP) is LD -terminating for all queries in 
{soJve(C?) I G G Then, P is LD-terminating for all queries in S. 

Proof, (sketch) By Theorem [T]Mo U 7ce(-P) is order-acceptable with respect to 
{solve(G) I G G S'}. We are going to prove order-acceptability of P with respect 
to S. By Theorem [T] this will imply termination. 

Since Mq U^ce{P) is order-acceptable with respect to solve(S) = {soJve(G) | 
G G S} there is a well-founded ordering >, satisfying requirements of Defini- 
tion [Sj Define a new ordering on atoms of P as following: Ay B if solve(A) > 
solve(B). 

The ordering is defined on {G | sofve(G) G Call{Mo U 'yce{P),solve{S))}. By 
Lemma [T]this set coincides with Call{P,S). From the corresponding properties 
of > follows that is well-defined and well-founded. 

The only thing that remains to be proved is that P is order-acceptable with 
respect to S via . Let A G Call{P, S) and let A' ^ i?i , . . . , be a clause in P, 
such that mgu(A, A') = 9 exists. Then, 9 is also mgu of solve{A) and soJve(A'). 

Let a map B9 to {Bi, ... , Bn) 9. It is one of the computed answer substitu- 
tions for ^ clause(A9, B9). Thus, by order-acceptability of Mq U 'yce(P) with 
respect to solve(S) holds: solve(A) > solve{{Bi, . . . ,Bn)9). 

Order-acceptability also implies solve{{Bi, . . . , Bn)9) > solve{Bi9) and 
solve{{Bi , . . . , Bn)9) > solve{{B 2 , . . . , Bn)9ai), where cti is a computed answer 
substitution for solve{Bi9). By proceeding in this way we conclude, that for 
any atom Bi, solve(A) > solve(Bi9ai . . .ai-i), where aj is a computed answer 
substitution for ^ solve{Bj9ai . . . aj-i). By definition of y, this means that 
A y Bi9ai . . .CTi_i. 

Soundness and completeness imply the order-acceptability and complete the 
proof. I 

The second direction of the theorem has been proved by Pedreschi and Rug- 
gieri |23]. It allows us to state the following corollary. 

Corollary 1. Tha “vanilla” meta-interpreter preserves LD-termination. 

The proof of Theorem |2]sketched above, suggests the following methodology 
for proving that some meta-interpreter improves LD-termination. First, define 
an ordering on the set of calls to the meta-interpreter, that reflects its behaviour. 
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Then, establish the relationship between a new ordering and the one that reflects 
order-acceptability with respect to a set of the interpreted program. Prove using 
this relationship that the newly deflned ordering is well-deflned, well-founded and 
reflects order-acceptability of the meta-program with respect to a corresponding 
set of calls. In order for the proofs to be correct one may need to assume (or 
to prove as a prerequisite) that the meta-interpreter is sound and that the set 
of calls of the interpreted program and of the meta-program correspond to each 
other. The opposite direction can be proved by using a similar methodology. 

5 Advanced Meta-interpreters 

Typical applications of meta-interpreters, such as debuggers, will also require 
producing some additional output or performing some additional tasks during 
the execution, such as constructing proof trees or cutting “unlikely” branches 
for an uncertainty reasoner with cutoff. As we are going to see in Example 0 
these extensions can and usually will influence termination properties of the 
met a-interpreter . 

In this section we identify an important class of meta-interpreters that are 
able to perform additional tasks and extend the methodology presented in the 
previous section to analyse them. 

Definition 10. A definite program of the following form 

solve{true,tii , . . . ,ti„) ^ Cn, . . 

SOlve{{A,B),t21, ■ . .,t2n) ^ 

Dll, ■ ■ ■ , Diki , solve{A, tai, . . . , t3„), 

D21, . . . , D2k2 , SOlve{B, t4i, . . . , t4n) 

C21, . ■ • , C2rri2- 

SOlve{A,t5i, . . . ,t5„) ^ 

D31, ■ ■ ■ , D3k3,clause{A, B,si, . . . , Sk), 

D41 , ■ ■ ■ , D^ki , solvel^B j , . . . , t^Yi) 

C31 , . . . , ■ 

together with defining clauses for any other predicates occurring in the Cki and 
Dpq (none of which contain solve or clause) is called a double extended meta- 
interpreter. 

This class of meta-interpreters extends the class of extended meta- 
interpreters studied by m- It includes many useful meta-interpreters, such as 
a proof trees constructing meta-interpreter m, that can be used as a basis 
for explanation facilities in expert system, meta-interpreters allowing reasoning 
about theories and provability mu or reasoning with uncertainty [ 12 8 j . More- 
over, this class also describes a depth tracking tracer for Prolog, a reasoner with 
threshold cutoff [ 5 H] and a pure four port box execution model tracer [3. Note, 
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that despite the similarity with Example [H Example [6] is not a double extended 
meta-interpreter due to the call to predicate clause in the definition of check. 

Definition 11. Let H ■(— i?i, . . . , Bi, . . . , he a clause, and let v be a variable 
in Bi. We’ll say that ^ Bi, . . . , Bi-i is irrelevant for v if for every computed 
answer substitution a for Bi, . . . , Bi_i, va = v. 

We’ll call a double extended meta-interpreter restricted if for any i, 
Dii, . . . , Dii~. is irrelevant for meta- variables A and B. The following theorem 
states conditions on the restricted double extended meta-interpreter E that im- 
ply E to be non-violating LD-termination. 

Theorem 3. Let P be an interpreted program, D a restricted double extended 
meta-interpreter, and G G ^ terminating with respect to 

P and {A \ Ag Call{D U jce{P) , solve{G)) , solve □ reJ(A)} is terminating with 
respect to D then solve{G) terminates with respect to DU-jce{P)- 

In general, the second direction of the theorem does not necessary hold. In- 
deed, consider the following uncertainty reasoner with cutoff, motivated by [28] . 



Example 1. 



solve{true, 1, T). 
solve{{A,B),G,T) g- 
solve{A, Cl, T), 
solve{B,G2,T), 
minimum{Gl, G2, G). 



solve{A, G, T) g- 

clause(A, B, Cl), 

Cl > T,n isT/Gl, 
solve{B,G2,Tl), 

G is Cl * C2. 



Let P be the following uncertainty-program: dause(r, r, 0.9). When executed 
as a usual program, ignoring uncertainty coefficients, the goal G- r does not 
terminate. However, for any specified threshold Threshold > 0 the goal ^ 
solve{r, Certainty, Threshold) finitely fails. □ 

Termination of this example followed from the fact that given some positive 
threshold Threshold there always be a natural n, such that 0.9" < Threshold. To 
cause the second direction of Theorem [3| to hold this kind of termination should 
be eliminated. That is, termination of the meta-program shall depend only on the 
meta-calls. To formalise this intuition we set a requirement on the ordering used 
to prove termination of the meta-program. We say that an ordering > ignores 
argument position i of a functor /, if for all C, ... , for all si, S 2 and for all u, 
if f {ti, . . . ,ti—i, si,tij,-i, . . . , tji) p u then f (^ti, . . . ,ti—i, S 2 ,tiJ,-i, . . . ,tn) p u, for 
every pG {<,>,=,||}. 

Theorem 4. Let P be an interpreted program and D a double extended meta- 
interpreter, such that Z3U7ce(T’) is order-acceptable with respect to solve{G) via 
an ordering >, that ignores all argument positions of solve, except for the first 
one. Then, 

1. D terminates w.r.t. {A \ Ag Call{DUjce{P), solve{G)), solve Zi rel{A)} and 

2. P terminates w.r.t. G. 
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6 Extending the Language of the Interpreted Programs 

So far we have considered only definite programs. However, in order to make 
our approach practical the language of the underlying object programs should 
be extended to include negation, frequently appearing in applications of the 
met a-interpreters . 

In order to prove that meta-interpreters with negation preserve termina- 
tion we use among others a termination analysis framework based on order- 
acceptability. Originally this framework was designed only for study of termina- 
tion of definite programs. In [26j we extended this framework to normal programs 
as well. Here we present briefly some results that can be obtained for the meta- 
interpreters in the extended framework. 

First of all, instead of LD-derivations and trees LDNF-derivations and trees 
should be considered. Recall, that LDNF-derivation flounders if there occurs 
in it or in any of its subsidiary LDNF-trees a goal with the first literal being 
non-ground and negative. 

Definition 12. The program P is called non-floundering with respect to a set 
of queries S, if all its LDNF-derivations starting in queries G G S are non- 
floundering. 

By extending the notion of order-acceptability to normal programs and ap- 
plying the same methodology as above one can prove that the following meta- 
interpreter M 4 , being an immediate extension of vanilla meta-interpreter to nor- 
mal programs [16j . preserves LDNF-termination. Soundness and completeness 
of M 4 are proved in Theorem 2.3.3 m- 

solve{true) . 

solve{{Atom, Atoms)) G- solve{ Atom) , solve{ Atoms) . 

solve{-'Atom) g- ~'Solve{Atom) . 

solve(Head) g- clause(Head,Body),solve(Body). 

Theorem 5. Let P be a normal program, S be a set of queries. Then P is 
LDNF-terminating w.r.t. S if and only if UyceiP') LDNF-terminates with 
respect to {solve{G) | G G S'}. 



7 Conclusion 



We have presented a methodology for proving termination properties of meta- 
programs. The problem of termination was studied by a number of authors 
(see 1121 for the survey, and more recent work can be found in 1131141181201241 
EIIDI). 

Our methodology gains it power from using the integrated approach, sug- 
gested in |7^, that extends the traditional notion of acceptability with 
the wide class of term-orderings that have been studied in the context of the 
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term-rewriting systems. In this work we have shown that this approach allows 
one to define relatively simple relation between the ordering that satisfies the 
requirements of order-acceptability for an object program and for the meta- 
interpreter extended by this object program and a corresponding set of goals. 
Thus, the methodology is useful to establish if the meta-interpreter improves or 
preserves termination. In particular, in the work on compositionality of termi- 
nation proofs 13 , level mappings for an object program cannot easily be reused 
for the meta-program. 

Despite the intensive research on meta-programming inside the logic pro- 
gramming community termination behaviour of meta-programs at- 

tracted less attention. Pedreschi and Ruggieri use generic verification 
method, based on specifying preconditions and postconditions. Unfortunately, 
their termination results are restricted only to the “vanilla” meta-interpreter. 
It is not immediate how their results can be extended to alternative meta- 
interpreters, nor if the relationship between termination characterisation of the 
object program and the meta-program can be established. 

We consider as a future work identifying additional classes of meta- 
interpreters, such as mm and studying their termination behaviour. 
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Abstract. There is an increasing use of (first- and higher-order) rewrite 
rules in many programming languages and logical systems. The recur- 
sive path ordering (RPO) is a well-known tool for proving termination of 
such rewrite rules in the first-order case. However, RPO has some weak- 
nesses. For instance, since it is a simplification ordering, it can only han- 
dle simply terminating systems. Several techniques have been developed 
for overcoming these weaknesses of RPO. A very recent such technique 
is the monotonic semantic path ordering (MSPO), a simple and easily 
automatable ordering which generalizes other more ad-hoc methods. 

Another recent extension of RPO is its higher-order version HORPO. 
HORPO is an ordering on terms of a typed lambda-calculus generated 
by a signature of higher-order function symbols. Although many inter- 
esting examples can be proved terminating using HORPO, it inherits the 
weaknesses of the first-order RPO. 

Therefore, there is an obvious need for higher-order termination order- 
ings without these weaknesses. Here we define the first such ordering, 
the monotonic higher-order semantic path ordering (MHOSPO), which 
is still automatable like MSPO. We give evidence of its power by means 
of several natural and non-trivial examples which cannot be handled by 
HORPO. 

1 Introduction 

There is an increasing use of higher-order rewrite rules in many programming 
languages and logical systems. As in the first-order case, termination is a fun- 
damental property of most applications of higher-order rewriting. Thus, there 
exists a need to develop for the higher-order case the kind of semi-automated 
termination proof techniques that are available for the first-order case. 

There have been several attempts at designing methods for proving strong 
normalization of higher-order rewrite rules based on ordering comparisons. These 
orderings are either quite weak |LSS92l,TR,98j . or need an important user inter- 
action [PS95j . Recently, in [JR99IJ . the recursive path ordering (RPO) |Der82j 
— the most popular ordering-based termination proof method for first-order 
rewriting — has been extended to a higher-order setting by defining a higher- 
order recursive path ordering (HORPO) on terms following a typing discipline 
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including ML-like polymorphism. This ordering is powerful enough to deal with 
many non-trivial examples and can be automated. Besides, all aforementioned 
previous methods operate on terms in 77 -long /^-normal form, hence apply only to 
the higher-order rewriting “a la Nipkow” |MN98| . based on higher-order pattern 
matching modulo Prj. HORPO is the first method which operates on arbitrary 
higher-order terms, therefore applying to the other kind of rewriting, based on 
plain pattern matching, where /3-reduction is considered as any other rewrite 
rule. Furthermore, HORPO can operate as well on terms in 77 -long /3-normal 
form, and hence it provides a termination proof method for both kinds of higher- 
order rewriting (see also |vl3,01 1 for a particular version of HORPO dealing ? 7 -long 
/3-normal forms). 

However, HORPO inherits the same weaknesses that RPO has in the first- 
order case. RPO is a simplification ordering (a monotonic ordering including 
the subterm relation), which extends a precedence on function symbols to an 
ordering on terms. It is simple and easy to use, but unfortunately, it turns out, 
in many cases, to be a weak termination proving tool. First, there are many 
term rewrite systems (TRSs) that are terminating but are not contained in any 
simplification ordering, i.e. they are not simply terminating. Second, in many 
cases the head symbol, the one that is compared with the precedence, does not 
provide enough information to prove the termination of the TRS. Therefore, 
since HORPO follows the same structure and the same use of a precedence as 
in RPO (in fact, it reduces to RPO when restricted to first-order terms), it is 
easy to expect that similar weaknesses will appear when proving termination of 
higher-order rewriting. 

To avoid these weaknesses, in the first-order case, many different so-called 
transformation methods have been developed. By transforming the TRS into a 
set of ordering constraints, the dependency pair method [AGOOj has become a 
successful general technique for proving termination of (non-simply terminating) 
TRSs. 

As an alternative to transformation methods, more powerful term orderings 
like the semantic path ordering (SPO) l |KL80j l can be used. SPO generalizes 
RPO by replacing the precedence on function symbols by any (well-founded) 
underlying (quasi-)ordering involving the whole term and not only its head sym- 
bol. Although the simplicity of the presentation is kept, this makes the ordering 
much more powerful. Unfortunately, SPO is not so useful in practice, since, al- 
though it is well-founded, it is not, in general, monotonic. Hence, in order to 
ensure termination, apart from checking that the rules of the rewrite system are 
included in the ordering, in addition the monotonicity for contexts of the rewrite 
rules has to be proved. 

In |BFR,00J . a monotonic version of SPO, called MSPO, has been presented. 
MSPO overcomes the weaknesses of RPO, it is automatable and it is shown to 
generalize other existing transformation methods. 

Due to the fact that RPO and SPO share the same “path ordering nature” , 
our aim is to obtain for SPO and MSPO the same kind of extensions to the 
higher-order case as it was done for RPO. 
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In this paper we present the higher-order semantie path ordering (HOSPO) 
which operates on terms of a typed lambda-calculus generated by a signature of 
higher-order function symbols. As done for HORPO in |JR99| . HOSPO is proved 
well-founded by Tait and Girard’s computability predicate proof technique. Then 
a monotonic version of HOSPO, called MHOSPO, is obtained, which provides 
an automatable powerful method for proving termination of higher-order rewrit- 
ing on arbitrary higher-order terms union /3-reduction. To illustrate this power 
several non-trivial examples are shown to be terminating. 

In this work we do not consider ry-reductions, although all results can be ex- 
tended to include them at the expense of some easy, but technical, complications. 
For the same reason we have not included ML-like polymorphism. 

Besides its own interest as a termination method for higher-order rewriting, 
the extension of HORPO to HOSPO and the definition of MHOSPO on top 
of HOSPO is also interesting for other reasons. On the one hand, it shows the 
stability of the definition of HORPO, since it extends to HOSPO in the same 
way as RPO extends to SPO. On the other hand, it shows the stability of the 
definition of MSPO, since MHOSPO is obtained from HOSPO in the same way as 
MSPO is obtained from SPO. This gives some intuition of why term orderings 
provide a more adequate framework for defining general termination proving 
methods than other techniques. 

Formal definitions and basic tools are introduced in Section [21 In Section |3] 
an example motivating the need of extending HORPO is given. In Section |4] we 
present and study the higher-order semantic path ordering. Section |5] introduces 
MHOSPO. The method is applied to two examples in Section |6l Some conclu- 
sions and possible extensions are given in Section jT) The reader is expected to 
be familiar with the basics of term rewrite systems |DJ90| and typed lambda 
calculi |Bar92| . Due to the lack of room we have provided almost no proofs. All 
them can be found in |BR01| . 

2 Preliminaries 

2.1 Types, Signatures, and Terms 

We consider terms of a simply typed lambda-calculus generated by a signature 
of higher-order function symbols. 

The set of types T is generated from the set Vr of type variables (considered 
as sorts) by the constructor — >■ for functional types in the usual way. Types are 
called functional when they are headed by the — >■ symbol, and basic when they 
are a type variable. As usual, — >■ associates to the right. In the following, we use 
a, j3 for type variables and a, r, p, 9 for arbitrary types. 

Let = be the congruence on types generated by equating all type variables 
in Vf. Note that two types are equivalent iff they have the same arrow skeleton, 
i.e. cr = T iff replacing all type variables in tr and r by the same type variable a 
we obtain two identical types. 

A signature .7^ is a set of function symbols which are meant to be algebraic 
operators, equipped with a fixed number n of arguments (called the arity) of 
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respective types cti £ T, . . . , cr„ £ T, and an output type cr £ T. A type decla- 
ration for a function symbol / will be written as f : ai x ... x an ^ cr. Type 
declarations are not types, although they are used for typing purposes. Note, 
however, that cti —>■ ct is a type if /: cti x ... x cr„ —>■ cr is a type 

declaration. We will use the letters f,g,h to denote function symbols. 

Given a signature J- and a denumerable set X of variables, the set of raw 
algebraic X-terms is defined by T := T | {XX : T.T) | @(T, T) | iF{T, . . . ,T). 
Terms of the form Xx : a.u are called abstractions, while the other terms are 
said to be neutral. For sake of brevity, we will often omit types. @(m, v) denotes 
the application of u to u. The application operator is allowed to have a variable 
arity. We call a partial left-flattening of the term @(@(. . . @(^1,^2) • ■ • , tn-i),tn), 
any term of the form @(@(. . .@(^1,^2) • ■ • ■ ■ ■ fln)- As a matter of con- 

venience, we may write @(u, vi, . . . , u„) for @(@(. . . @(u, vi ) . . .), u„), assuming 
n > 1 . 

We denote by Var(t) the set of free variables of t. We may assume for con- 
venience (and without further notice) that bound variables in a term are all 
different, and are different from the free ones. The subterm of t at position p is 
denoted by t\p, and we write t>t\p. The result of replacing t|p at position p in 
t by M is denoted by t[u\p. We use t[u] to indicate that rt is a subterm of t, and 
simply t[ ]p for a term with a hole, also called a context. The notation s will be 
ambiguously used to denote a list, or a multiset, or a set of terms Si, . . . , Sji. 



2.2 Typing Rules 

Typing rules restrict the set of terms by constraining them to follow a precise 
discipline. Environments are sets of pairs written x : a, where a; is a variable and 
(T is a type. Our typing judgments are written as F h M : cr if the term M can 
be proved to have the type a in the environment F : 

Functions: 

f : ai X ... X an ^ a G F 
F h ti : a[= ai ... F h tn : a'n = an 
F h f{ti,...,tn) : a 

Abstraction: Application: 

F U {x : a} \- t : T F \- s : a t F \- t : a' = a 

F h {Xx : a.t) : a ^ t F \~ @{s,t) : r 

A term M has type a in the environment T if T h M : a is provable in the 
above inference system. A term M is typable in the environment F if there exists 
a unique type a such that M has type a in the environment F. A term M is 
typable if it is typable in some environment F. Note again that function symbols 
are uncurried, hence must come along with all their arguments. 

The reason to use = is that having a larger set of typable terms allow us 
to increase the power of the ordering we will define (see the end of the proof of 
example El . 



Variables: 

X : a G F 
F h X : a 
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Substitutions are supposed to be well-typed. We use the letter 7 for substi- 
tutions and postfix notation for their application, e.g. Substitutions behave 
as endomorphisms defined on free variables (avoiding captures). 

2.3 Higher-Order Rewrite Rules 

The rewrite relation which is considered in this paper is the union of the one 
induced by a set of higher-order rewrite rules and the / 3 -reduction relation both 
working modulo a-conversion. 

We use — >1^ for the / 3 -reduction rule: u) — v{x >->■ u}. The simply 

typed A-calculus is confluent and terminating with respect to / 3 -reductions. 

As said, for simplicity reasons, in this work we do not consider 77-reductions, 
although all results can be extended to include them. 

A higher-order term rewrite system is a set of rewrite rules R = {F h 
ri}i, where U and are higher-order terms such that h and ri have the same 
type ai in the environment F. Note that usually the terms li and will be 

typable in the system without using the type equivalence =, i.e. they will be 
typable by the system replacing = by syntactic equality = on types. 

Given a term rewriting system R, a term s rewrites to a term t at position 
p with the rule T h / — >■ r and the substitution 7, written s t, or simply 

l—¥r 

s -^R t, if s|p = Z7 and t = s[r7]p (modulo a-conversion). We denote by — ^ the 

Ft 

reflexive, transitive closure of the rewrite relation — >. We are actually interested 
in the relation — U — 

Given a rewrite relation — a term s is strongly normalizing if there is no 
infinite sequence of rewrites issuing from s. The rewrite relation itself is strongly 
normalizing, or terminating, if all terms are strongly normalizing. 

2.4 Orderings and Quasi-Orderings 

We will make intensive use of well-founded orderings for proving strong normal- 
ization properties. We will use the vocabulary of rewrite systems for orderings 
and quasi-orderings (see e.g. [D,T 90 ] 1 . For our purpose, a (strict) ordering, always 
denoted by > or (possibly with subscripts), is an irrefiexive and transitive re- 
lation. An ordering > is monotonic if s > t implies /(. . . s . . .) > /(. . .t . . .); it 
is stable if s > t implies 37 > ^7 for all substitutions 7; and it is well-founded if 
there are no infinite sequences t\ > t2 > ■ ■ ■ An ordering is said to be higher- 
order when it operates on higher-order terms and is a-compatible: it does not 
distinguish between a-convertible terms. 

A quasi-ordering , always denoted by ^ or >, is a transitive and reflexive 
binary relation. Its inverse is denoted by Its strict part >- is the strict ordering 
^ \ ^ (be, s y t iS s F t and s t). Its equivalence ^ is ^ fl Note that ^ is 
the disjoint union of and 

A quasi-ordering ^ is well-founded if is. It is stable if is and scr ^ ta 
whenever s ^ t. ^ is quasi-monotonic if /(. . . , s, . . .) ^ /(. . . ,t, . . .) whenever 
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s y t. A quasi-ordering is said to be higher-order when it operates on higher-order 
terms and its equivalence includes a-conversion. Note that if is a higher-order 
ordering U =q, is a higher-order quasi-ordering whose strict part is 

Assume >i, . . . , >„ are orderings on sets Si, . . . , Sn- Then its lexicographic 
combination (>i, . . . , >n)iex is an ordering on S'! x ... x S'„. We write >iex if all 
sets and orderings are equal. Similarly the lexicographic combination of quasi- 
orderings ^ 1 , . . . , is denoted by (^i, . . . , '^n)iex and defined as s(^i, . . . , >n 
)iext iff either s )^i t for some i and s t for all j < i, or s t for all i. If all 
>i, respectively are well-founded then its lexicographic combination also is. 
Same happens for stability and a-compatibility. 

Assume is an ordering on a set S. Then its multiset extension, denoted 
by is an ordering on the set of multisets of elements of S, defined as the 
transitive closure of: M U {s} MU{ti, . . . , t„} if s t i Vi G [l..n] (using U 
for multiset union). If is well-founded, stable and a-compatible then also 
is. 

Definition 1. A higher-order reduction ordering is a well-founded, monotonic 
and stable higher-order ordering >, such that — C >. 

A higher-order quasi-rewrite ordering is a quasi-monotonic and stable higher- 
order quasi- ordering such that — C A higher-order quasi-reduction 

ordering is in addition well-founded. 

Reduction orderings allow us to show that the relation — is ter- 
minating by simply comparing the left-hand and right-hand sides of each rule in 
R: 

Theorem 1. Let R = {F h k ^ ri}i^i be a higher-order rewrite system 
such that li > ri for every i £ I. Then the relation — is strongly 
normalizing. 



2.5 The Higher-Order Recursive Path Ordering (HORPO) 

We present here a restricted version of HORPO (with no status for function 
symbols) which is enough for our purposes. The HORPO is based on a quasi- 
ordering >jF, called precedence, on the set of function symbols T whose strict part 
>;r is well-founded and whose equivalence is denoted by =j=. HORPO compares 
terms of equivalent type by using the head symbol wrt. the precedence and/or 
the arguments recursively following a similar structure as RPO in the first-order 
case. 

Additionally, in HORPO, in order to make the ordering more powerful, when 
comparing two terms s and t, when s is headed by an algebraic function symbol, 
we cannot only use the arguments of s but also any term in the so called com- 
putable closure of s, which mainly allows us to introduce abstractions in some 
cases. The intuition for doing so comes from the strong normalization proof. 
In that proof, it is crucial to show the computability (in the sense of Tait and 
Girard’s strong normalization proof technique) of the right-hand side term t by 
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using the left-hand side arguments of s, which are assumed to be computable, 
and the head function symbol. Therefore, instead of using directly the arguments 
of s, we can use any term obtained applying computability preserving operations 
to its arguments. 

To ease the reading, here we give a subset of the possible computability 
preserving operations given in which is enough for our purposes and 

gives the flavor of the method. 

Definition 2. Given a term s = /(si, . . . , Sn), we define its eomputahle closure 
GC{s) as CC{s,%), where CC{s,V) with V C\V ar{s) = % , is the smallest set of well- 
typed terms containing the arguments si,...,Sn, all variables in V and closed 
under the following two operations: 

1. precedence: h{u) € GC{s,V) iff>j^handu€CC{s,V). 

2. abstraction: Xx.u € OC{s, V) if x ^ Var(s) U V and m G tC(s, V U {a:}). 

Now we give the definition of HORPO, denoted by >~horpo, adapted from 
pR^ . where hhorpo means the union of >~horpo and o-conversion. 

s:cr t : T iS a = T and 

horpo 

1. s = f{s) with f € IF, and u hhorpo t for some u €s 

2. s = f {s) with f G if and t = g{t) with / >jr g, and 

for all ti Gt either s )~horpo U or u hhorpo U for some u G GC{s) 

3. s = /(s) and t = g(t), f =j: g G T and {s} >¥-horpo {f} 

4. s = f{s) with f G tF, t = @{t) is some partial left-flattening of t, 
and for all ti Gt either s horpo U or u hhorpo ti for some u gOZ{s) 

5. S = @(si,S2), t = @{ti,t2) and {si,S2} >^horpo 

6. s = Xx.u and t = Xx.v, and u >~horpo v 

7. s = @(Xx.u, v) and u{x i— >■ u} hhorpo t 

The definition of HORPO is used as a recursive algorithm to check whether 
a term s is greater than a term t. In case we apply an a-conversion on the 
heading lambda if necessary. The following theorem states that HORPO is a 
higher-order reduction ordering, which means that if we show that the left hand 
side of each rule in a rewriting system is greater than the right hand side then 
we can conclude that the system is terminating for higher-order rewriting. 

Theorem 2. The transitive closure of y horpo is a higher-order reduction order- 
ing. 

3 A Motivating Example 

In this section we present an example which on the one hand will help us to show 
how HORPO is used, and on the other hand will exhibit its weakness, since the 
example cannot be proved terminating although it is, and the need to improve 
in the direction of semantic orderings. 
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The example defines the prefix sum of a list of natural numbers, i.e. the list 
with the sum of all prefixes of the given list, using the map function. We do not 
include the rules defining the + symbol. 

Example 1. Prefix sum. Let Vr = {Nat^Lisi}^ 

X = {x : Nat, xs : List, F : Nat — )> Nat } and 
J- = {\\ -. List, cons : Nat x List — )> List, + : Nat x Nat ^ Nat, 

map : (Nat — >■ Nat) x List — >■ List, ps : List — >■ List }. 

map{F, []) -t [] 

map{F,cons{x,xs)) — >■ cons{@{F,x),map{F,xs)) 

pm ^ [] 

ps{cons{x,xs)) — >■ cons{x,ps{map{Xy.x + y,xs))) 

Now we try to prove that this system is included in HORPO. Rules [T] and |3] 
hold applying case [1] of the definition of HORPO. For the second rule we need 
to show that map{F,cons{x,xs)) : List>~horpoCons{@{F,x),map{F,xs)) : List. 
In this case the only possibility is to have map > jr cons and apply case |2] Then 
we check recursively (1) map{F,cons{x,xs)) : List>~horpo@iF,x) : Nat and (2) 
map{F,cons{x,xs)) : List>~horpo'map{F,xs) : List. For (1) we apply case E] 
since F € OZ{map{F,cons{x,xs))) and map{F,cons{x,xs)) : List>~ho^poX : 
Nat, applying twice case [U Finally, to prove (2) we apply case E] which holds 
since cons{x,xs) : List>~horpoXS : List by caselH 

For the last rule, we can only apply case [2l taking ps >jr cons. This requires 
that ps{cons{x, xs)) : List >~horpo x : Nat, which holds applying twice case[H and 
also ps(cons(x, ccs)) : List>~horpoPs{map{\y.x + y,xs)) : List. For the latter we 
apply case El which requires cons{x,xs) : List>~horpo'rnap{\y.x + y,xs) : List. 
To prove this we need cons >jr map and apply case E] showing that Xy.x + y € 
OZ{cons{x,xs)) taking cons >j: +, and cons{x,xs) : List>~horpoXS : List using 
caseU 

Unfortunately, to show that the second rule is in HORPO we need to take 
map > j: cons and to show the last rule we need cons > j: map, which of course 
cannot be the case if >:r is well-founded. Note that the considered system cannot 
be proved either using the definition of HORPO in [,TR.99J . hence the problem is 
not due to the simplified version of HORPO we are considering here. 

Now, if we look at the example, the intuition behind its termination comes 
from the fact that in all recursive calls the size of the list parameter decrease. 
This somehow means that this parameter should play an important role when 
comparing the terms, since the use of the head symbol is not enough. Gener- 
alizing path orderings to using more information about the term than only the 
head symbol is done by means of semantic path orderings |KL80J . 



( 1 ) 

(2) 

( 3 ) 

( 4 ) 
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4 The Higher-Order Semantic Path Ordering (HOSPO) 

We present now HOSPO, which generalizes HORPO by using a well-founded sta- 
ble higher-order quasi-ordering ^q, which does not need to include /3-reduction, 
instead of the precedence >:r. We also adapt in the same way the computable 
closure. Note that, although we can fully adapt the definition of the computable 
closure given in | JR99| . for simplicity reasons, we will provide only an adapted 
version of the restricted computable closure given in section [TSl 

Definition 3. Given a term s = /(si, . . . , Sn), we define its computable closure 
GC{s) as OZ{s,%), where CC(s,V) with V fl Var(s) = 0, is the smallest set of 
well-typed terms containing all variables in V and all terms in {si, . . . ,s„}, and 
closed under the following operations: 

1. quasi- ordering: h{u) € tC(s, V) if f{s) >-q h{u) and u € tC(s, V). 

2. abstraction: Xx.u € GC{s,V) if x ^ Var{s) UV and u ^ OZ{s,V G {x}). 

Now we give the definition of HOSPO, where '^hospo means the union of 
>~hospo and a-conversion. 

Definition 4. s : cr >~hospo t '■ t iff a = t and 

1. s = ffs) with f G T, u >hospo t for some u Gs. 

2. s = f{s) and t = git) with f,gGT, s >-q t, and 

for all ti Gt either s i^hospo U or u hkospo ti for some u G OZ{s). 

3. s = f{s) and t = git) with f,gGT, s t and {s} >^hospo {^} 

4-. s = f{s), f GT , @it) is some partial left-flattening oft, and 

for all ti Gt either s i^uospo U or u '^hospo ti for some u G OZ{s). 

5. s = @(si, S 2 ), t = @(ti, O), {si, S 2 } y^hospo {h, 0} 

6. S = Xx.U, t = Xx.V, U >~hospo V 

7. s = @{Xx.u, v) and u{x 1 — >■ u} ytospo t 

In case |^we apply an a-conversion on the heading lambda if necessary. Note 
that is only used in cases | 2 ]and |3 where the head symbol of both terms is 
in T . On the other hand, case 0 captures /3-reduction at top position, and since, 
in general, HOSPO is not monotonic, it may be the case that HOSPO does not 
include /3-reduction at any position. 

The resulting ordering is shown to be well-defined by comparing pairs of 
terms (t, s) in the well-founded ordering (>, — 

Lemma 1. >~hospo is stable under substitutions and a-compatible. 

For stability under substitutions, first we show that u G OC{s) implies that 
M 7 G OC(s^) for every substitution 7 . Then the proof is done by induction on the 
pair (t,s) wrt. (>, — Ul>)iex, distinguishing cases according to the definition 
of >~hospo and using the stability of For a-compatibility we follow the same 
pattern. 

To prove well-foundedness of the ordering we follow the Tait and Girard’s 
computability predicate proof method as for HORPO in jJR99j . We denote by 
|(t] the computability predicate of type a. 
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Definition 5. The family of type interpretations {|CT]}crg7-s the family of sub- 
sets of the set of typed terms whose elements are the least sets satisfying the 
following properties: 

1. If a is a basic type, then s : a € |cr] ijf\ft:T s.t. s )~hospo t, t G |r]. 

2. If s : a = T ^ p then s € |(t] iff @{s,t) € |p] for every t G |r'], with t' = t . 

The above definition is based on a lexicographic combination of an induction 
on the size of the type and a fixpoint computation for basic types. The existence 
of a least fixpoint is ensured by the monotonicity of the underlying family of 
functionals (indexed by the set of basic types) with respect to set inclusion 
(for each basic type). Note that for basic types this definition can be seen as a 
closure wrt. case[Tl taking as initial set for each basic type the set of minimal, 
wrt. >~hospo, terms (which includes the variables). A typed term s of type cr is 
said to be computable if s G |cr] . A vector s of terms is computable iff so are all 
its components. 

Property 1 Computability properties. 

1. Every computable term is strongly normalizable. 

2. If s is computable and s >~hospo t then t is computable. 

3. A neutral term s is computable iff t is computable for every t s.t. s )~hospo t- 

f. If t is a vector of at least two computable terms s.t. @(t) is a typed term, 

then @{t) is computable. 

5. Xx : a.u is computable iff u{x i— >■ w} is computable for every computable 

term w : a = a. 

Note that variables are computable as a consequence of Property llldl The 
precise assumption of the following property comes from the ordering used in 
the proof by induction of Lemma |5] and gives some intuition about the definition 
of the computable closure. 

Property 2 Assume s : t is computable, as well as every term h(u) with u 
computable and f{s) )^q h{u). Then every term in CC{f{s) is computable. 

Lemma 2. Let f : a ^ t G T and t : t = a be a set of terms. If t is 
computable, then f(t) is computable. 

The proof is done by induction on the ordering (yQ,>^hospo) operating on 
pairs {f{t),t). This ordering is well-founded since we are assuming that t is 
computable and hence strongly normalizing by Property lllll Note that in the 
assumption of Property[2| we are only using the first component of the induction 
ordering. By using both components, we can improve the computable closure, 
as done in | JR99| . adding new cases (see |BR01| for details). 

Lemma 3. i^hospo is well-founded. 

The proof is done by showing that ty is computable for every typed term t and 
computable substitution 7 , by induction on the size of t and using Property I1I5I 
and Lemma [21 Note that for the empty substitution 7 we have that all typed 
terms are computable and hence strongly normalizable by Property [T] [TJ 
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5 A Monotonic Higher Order Semantic Path Ordering 

In this section we present a monotonic version of HOSPO, called MHOSPO, and 
show how it can be used in practice. 

To define MHOSPO we need an additional quasi-ordering ^7 as ingredient. 
This quasi-ordering is used to ensure monotonicity, and due to this we need to 
require some properties on it. 

Definition 6 . We say that ^7 is quasi-monotonic on (or is quasi- 
monotonic wrt. 'czi) if 



s t implies /(. . . s . . .) /(. . . t . . .) 

for all terms s and t and all function symbols f. 

A pair (^7, ^q) is called a higher-order quasi-reduction pair if'^i is a higher- 
order quasi-rewrite ordering, is a well-founded stable higher-order quasi- 
ordering, and is quasi-monotonic on ^q. 

Now we give the definition of MHOSPO. 

Definition 7. Let (^ 7 ,^q) be a higher-order quasi-reduction pair. 

^ i^mhospo I ^ff ^ ^ and S hospo T 



Theorem 3. The transitive closure of i^rnhospo is a higher-order reduction or- 
dering. 

Well-foundedness follows from the fact that >~m,hospo C >~hospo and >~hospo is well- 
founded. Stability and o-compatibility follow respectively from the stability and 
a-compatibility of ^7 and >~hospo- Monotonicity follows directly from the fact 
that ^7 is quasi-monotonic on and includes /3-reduction, and cases[3[^and0 
of >~hospo- Finally, to prove that — C >~mhospo, we use monotonicity, case 0 
of HOSPO and the fact that ^7 includes /3-reduction. 

Note that HORPO is a particular case of MHOSPO, which is obtained by 
taking ^7 as s ^7 t for all s and t, which has an empty strict part (and trivially 
fulfils all required properties), and as a precedence. 

In order to make MHOSPO useful in practice we need general methods to 
obtain quasi-reduction pairs (^7 ,^q). We will first provide possible candidates 
for the quasi-ordering ^7 and then show how to obtain a forming a pair. 

5.1 Building ^7 

We consider ^7 obtained by combining an interpretation / on terms with some 
higher-order quasi-reduction ordering called the basic quasi-ordering, i.e. 
s '. a t ■. T if and only if J(s : cr) >b I ft : r) (note that hence we also 
have that s : a >~i t : t if and only if J(s : cr) >~b I{t : r)). An obvious 
candidate for >b is (the transitive closure of) HORPO union a-conversion. For 
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the interpretation /, as a general property, we require the preservation of the 
typability of terms and the quasi-monotonicity, stability, a-compatibility and 
the inclusion of /3-reduction of the basic quasi-ordering ^b- Note that, since hs 
is well-founded, the obtained is also well-founded and hence it is a quasi- 
reduction ordering, although is only required to be a quasi-rewrite ordering. 
The reason for adding the well-foundedness property to in this construction 
will become clear later when building the quasi-reduction pairs (^ 7 , ^q)- 

Below some suitable such interpretations obtained by adapting usual inter- 
pretations for the first-order case are provided. We consider interpretations that 
are mappings from typed terms to typed terms. As a matter of simplicity we 
have considered only interpretations to terms in the same given signature and 
set of types. Note that we can enlarge our signature (or the set of types) if new 
symbols (or types) are needed in the interpretation. On the other hand if we 
consider interpretations to terms in a new signature and set of types then we 
not only need to interpret the terms but also the types. 

Each symbol / : cti x ... x cr„ — ?> cr can be interpreted either by (1) a projection 
on a single argument of an equivalent type to the output type of /, denoted by 
the pair {f{xi, . . . ,Xn),Xi) with Xi : r and cr = r, or else by (2) a function 
symbol //, with an equivalent output type to /, applied to a sequence obtained 
from the arguments of / preserving the typability of the term, denoted by the 
pair {f{xi, . . . ,Xn), fi(x^^, . . . ,x^^)), for some k > 0, ii, . . . ,ik € {!,..., n} and 
fj : X ... X — >■ cr', with a[. = for all j S {1, ..., k} and a' = a. In order 

to include /3-reduction we consider I to be the identity for A and @. Additionally, 
we consider I to be the identity for variables (although it can be any bijection). 
We assume that there is only one pair for each symbol. Usually the identity 
pairs will be omitted. Thus the interpretation / of a term is obtained, as usual, 
by using the pairs on the top symbol once the arguments have been recursively 
interpreted. 

It is easy to show that this interpretations preserve typability and the quasi- 
monotonicity, stability, a-compatibility and the inclusion of the /3-reduction of 
hs- 

Example 2. Following the example[Tl consider the interpretation / defined by the 
pairs {map{xi,X 2 ),X 2 ) and (cons(a;i, 0 : 2 ), cons 7 (x 2 )), where consj : List — >■ List, 
then we have that: 

1. I{map{F,cons{x,xs))) = consi(xs) 

2. I{cons{@{F,x),map{F,xs))) = consj{xs) 

3. I{ps{cons{x,xs))) = ps{consi{xs)) 

4. I{cons{x,ps{map{\y.x + y,xs)))) = consi{ps{xs)) 

5. I{@{F, x)) = @{F, x) and I{Xy.x + y) = Xy.x + y 

5.2 Building 

Now we show how higher-order quasi-reduction pairs (^/, ^q) can be obtained. 
This can be done in a general way, as for MSPO in |BFR00] . but for simplicity 
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reasons we will just provide the most usual examples of quasi-orderings that 
work in practice. 

The simplest case is consider that and hi coincide, provided that is 
a quasi-reduction ordering (which is the case with the we have defined in the 
previous section). 

A more elaborated case for ^g is to combine lexicographically a precedence 
and the quasi-ordering hi, that is hg is defined as 

{hv, hl)lex 

where hv is a (well-founded) precedence, which can be completely different 
from the precedence used in the HORPO inside hi- Note that the precedence is 
used on terms by just comparing their head symbols. We can also add another 
precedence as third component. Since hi bas been built to be well-founded and 
the precedences are well-founded, its lexicographic combination also is. Quasi- 
monotonicity of hi on hg can be easily shown using the quasi-monotonicity of 
hi- 

Finally, using an idea coming from the dependency pair method [AGOOj . 
instead of using directly hi inside hg, we can apply first a renaming of the 
head symbol, in case it is a function symbol, before using hi- This renaming 
allow us to apply different interpretations when a function symbol occurs on the 
head than when it occurs inside the term. Therefore thanks to the renaming 
sometimes the proof can be easier. Since this renaming is not needed in our 
examples we refer to [BROIJ for details. 

6 Examples 

Let us illustrate the use and the power of MHOSPO, by means of several exam- 
ples. Due to the lack of room, only in the first example we will give some details 



of the checking (see [BR01| | for further details). 

Example 3. We recall example [1] 

map{F,W)^W ( 1 ) 

map{F,cons{x,xs)) — >■ cons{@{F,x),map{F,xs)) (2) 

pKD) ^ [] (3) 

ps{cons{x,xs)) — >■ cons{x,ps{map{Xy.x + y,xs))) (4) 



Termination of this TRS can be proved with >~mhospo taking hg as {hv, hi)iex- 
The precedence hv is defined by ps y-p map >-p cons and ps >-p -I-; and we 
define hi by combining >~horpo, with the precedence ps consi, as basic quasi- 
ordering and the interpretation function I defined by the pairs {map{xi,X 2 ),X 2 ) 
and {cons{xi,X 2 ),consi{x 2 )), where consi : List — >■ List. Note that with this 
interpretation for the map function only the List parameter is considered and 
the List is interpreted as the amount of cons it has, which represents its size. 
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In order to prove that all rules are included in the obtained MHOSPO, we 
need to check both that I r and I >~hospo r for all rules Z — ?> r in the system. 
Fist of all recall that, since List and Nat are type variables (considered as sorts) 
we have List = Nat, which will be used many times along the checking. 

We start showing that all rules are included in ^/. Rules [1] and [2] have 
the same interpretation for both sides. For rule |3] we trivially have I(ps([])) = 
ps(D) >-horpo[] = d(0). For rule H I{ps{cons{x,xs))) = ps{consi{xs)) >horpo 
consi{ps{xs)) =I{cons{x,ps{map{\y.x + y,xs)))), using ps >-jr consj. 

Rules [H and E] are included in HOSPO by case H] For rule E] we show that 
map{F,cons{x,xs)) >~hospo cons{@{F,x),map{F,xs)). We apply first case El 
since map{F,cons{x,xs)) >-q cons{@{F,x),map{F,xs)) by the first compo- 
nent of Fq as map >--p cons. Then we need to check recursively that (1) 
map{F, cons{x, xs)) >~hospo @{F,x) and that (2) map{F,cons{x,xs)) >~hospo 
map{F,xs). For (1) we apply case [H since F € OZ{map{F,cons{x,xs))) and 
map{F,cons{x,xs)) >~hospo x applying case [I] twice. For (2) we apply again 
case El since map{F,cons{x,xs)) )~q map{F,xs), by the second component of 
as I{map{F,cons{x,xs))) = consi{xs) >~horpo xs = I{map{F,xs)), and the 
recursive checking hold in the same way as before. 

For the last rule we need ps{cons{x,xs)) Fhospo cons{x,ps{map{Xy.x + 
y,xs))). We apply case E] using the precedence component. For the recursive 
checking we only develop ps(cons(x, xs)) >~hospo ps{map{\y.x + y,xs)). Then 
we apply again case [2| twice in the first case using the second component of 
Fq and in the second case using the precedence. Finally we show (apart from 
the easy checking for xs) that \y.cons{x,xs) + y & CC{ps{cons{x,xs))) using 
the closure with case |2] and then case [1] with the precedence, and conclude with 
\y.cons{x, xs)+y >~hospo Xy.x+y, which holds easily (note that \y.cons{x, xs)+y 
is well-typed since Nat = List). 

The last part of the proof of the previous example may look hard to automate, 
since we have to pick a term from the computable closure of ps{cons{x, xs)) and 
then check that it is greater than or equal to \y.x -I- y. In practice, we look for 
such a term in the computable closure in a goal-directed way: since \y.x -I- y is 
headed by lambda and then -|- we apply case |2] and case (TJ and then, when we 
reach x, we check whether some argument of ps{cons{x,xs)) (which belongs to 
the computable closure by definition) is greater than or equal to x. Therefore, 
since cons{x, xs) >~hospo x, by monotonicity we conclude, without any additional 
checking, that \y.cons{x, xs) + y >~hospo Xy.x + y 

Let us present another example which can be proved by MHOSPO and not 
by HORPO. We only provide the ingredients of MHOSPO which are needed to 
prove that the rules are included in the ordering. 

Example 4- Quick sort. Let Vt = {Bool, Nat, List}, 

X = {x,y : Nat] xs, ys : List, p : Nat — >■ Bool} and 

iF = { 0 : Nat, s : Nat — >■ Nat, le, gr : Nat x Nat — >■ Bool, 

True, False : Bool, if : Bool x List x List — >■ List, 

[] : List, cons : Nat x List — > List, H — h : List x List — ^ List, 
filter : {Nat — >■ Bool) x List — >■ List, qsort : List — >■ List } 
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if{True,xs,ys) — >■ xs 
if (False, xs,ys) — >■ ys 



y -I— hxs — >■ xs 
cons(x, xs) ++ys 



cons(x, xs -H-j/s) 



gr(Q, y) — >■ False 
gr(s(x),0) — >■ True 
gr(s(x),s(y)) gr(x,y) 



le(0, y) — >■ True 
le(s(x), 0) — >■ False 
le(s(x) , s(y)) le(x,y) 

filter (p, [])-;►[] 

filter(p, cons(x, xs)) — >■ if(@(p, x), cons(x, filter(p, xs)), filter(p, xs)) 
qsort([]) 0 

qsort(cons(x,xs)) — >■ qsort(filter(\z.le(z,x),xs)) ++cons(x, []) -I— I- 
qsort(filter(Xz.gr(z, x),xs)) 

Termination of this TRS can be proved with >~mhospo taking Fq as (F-p, Fi)iex- 
The precedence Fp is defined by 0 ^p True, False; -I-+ Fp cons =p 
filter >-p if and qsort yp filter, ++, cons, le, gr,[], and we define Fj by 
combining )^horpo as basic ordering and the interpretation / defined by the 
pairs (filter{xi,X2), filter j(x2)) and (if(xi,X2,X3),ifi(x2,xf)) where filter j : 
List — >■ List and ifi : List x List — >■ List. As precedence for )^horpo we take 
0 True, False; qsort >-p ++,cons, [] and -I-+ Fp cons =p filterj ifj. 

Let us finally mention that there are also some natural examples that come 
from the disjoint union of a first-order TRS, which can be proved terminating 
by MSPO (or by the dependency pair method), and a higher-order TRS, which 
can be proved terminating by HORPO. Although its components can be proved 
terminating separately, no method can ensure the termination of the whole sys- 
tem. Using MHOSPO, we can somehow combine the proofs (used in MSPO and 
HORPO) and show its termination. 



7 Conclusions 

In this paper we have presented a new ordering-based method for proving termi- 
nation of higher-order rewriting. The method properly extends both MSPO (in 
the first-order case) and HORPO (in the higher-order case). The method can be 
automated and its power has been shown by means of several examples which 
could not be handled by the previous methods. 

Finally let us mention some work already in progress and some future work 
we plan to do. 

1. We are currently working on a constraint-based termination proof method, 
in the light of the dependency pair method [AGOOj , for the higher-order case. 
Using the ideas of |BFR,00J . the constraints are extracted from the definition 
of MHOSPO. Here we show the result of applying this method to Example[T] 

I : map(F,[]) Fj [] A map(F, cons(x, xs)) Fj cons(@(F,x),map(F,xs)) A 
ps(D) hi [] A ps(cons(x,xs)) hi cons(x,ps(map(Xy.x + y,xs))) 

Q : MAP(F,cons(x,xs)) MAP(F,xs) A 
PS(cons(x, xs)) >~i PS(map(Xy.x + y, xs)) 
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where X is the constraint coming from and Q the constraint coming from 
^Q, considering that >q is defined as the lexicographic combination of a 
precedence (obtained by a simple cycle analysis) and after applying a 
renaming of head symbols. 

Solving these constraints requires on the one hand, as in the first-order case, 
to automatically generate the adequate quasi-ordering (note that we are 
using the same kind of interpretations as in the first-order case) and on the 
other hand to adapt the notion of dependency graph for the higher-order 
case. 

2. We can adapt, in the same way as it can be done for HORPO |,TR01j . the 
method to be applicable to higher-order rewriting “a la Nipkow” [MN98j . 
i.e. rewriting on terms in ry-long /3-normal form. 

3. We will study other possible interpretations to build >zi using functionals in 
a similar way as in [PolQfij . but with two relevant differences. First due to 
the fact that we are building a quasi-ordering we can use weakly monotonic 
functionals instead of strict functionals. Second, since we are not working 
on terms in 77 -long /3-normal forms, we have to study whether we need to 
define ^7 by first obtaining 77 - long /3-normal form and then interpreting the 
normalized terms by using functionals. Note that if we normalize first, ^7 
will include trivially /3-reduction. 

4. We want to add to HOSPO more powerful cases to deal with terms headed 
by lambdas, which is, by now, the main weakness of the ordering, as well as 
some other improvements that have already been added to the initial version 

of HORPO [jtnr] . 

5. We want to analyze the relationship between our method and a recent 
constraint-based method developed in [Piefll j for proving termination of 
higher-order logic programs. 
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Abstract. This paper illustrates some aspects of the visual wrapper 
generation tool Lixto and describes its internal declarative logic-based 
language Elog. In particular, it gives an example scenario and contains a 
detailed description of predicates including their input/output behavior 
and introduces several new conditions. Additionally, entity relationship 
diagrams of filters and patterns are depicted and some words on the 
implementation are issued. Finally, some possible ramifications are dis- 
cussed. 



1 Introduction and System Architecture 

Almost every kind of information is available on the Web, however one cannot 
query this information in a convenient way. The task of a wrapper is to identify 
and isolate the relevant parts of Web documents, and to automatically extract 
those relevant parts even though the documents may continually change contents 
and even (to a certain extent) structure. The wrapper transforms the extracted 
parts into XML (or a relational database) to make them available for querying 
and further processing. The idea of Lixto is to visually and interactively assist a 
developer in creating and using wrapper programs able to perform these tasks. 

Lixto |3I4| is a visual and interactive wrapper generation and data extrac- 
tion tool which can be used to create XML companions of HTML pages. It can 
extract relevant information of an HTML page and pages which are linked to it. 
Information about related approaches on wrapper generation can be found in [TJ 
I6l7l8l9ll0llll . In this paper we give an overview of the internal language used by 
Lixto, the logic-based declarative Elog web extraction language, in particular of 
its extraction predicates. The architecture of Lixto is as follows. The Extraction 
Pattern Builder guides a wrapper designer through the process of generating 
a wrapper. The extracted data of the sample page she works on is stored in 
an internal format called the Pattern Instance Base. As output, an Extraction 
Program is generated which can be applied onto structurally similar pages. The 
Extractor module is the interpreter of the internal language Elog (which is in- 
visible to the wrapper designer), and can be used as stand-alone module on an 

* All methods and algorithms of the Lixto system are covered by a pending patent. 

For papers on Lixto and further developments see www.lixto.com. 



R. Nieuwenhuis and A. Voronkov (Eds.): LPAR 2001, LNAI 2250, pp. 548- l560l 2001. 
(c) Springer- Verlag Berlin Heidelberg 2001 
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Fig. 1. Pattern hierarchy of a recursive eBay program and a sample eBay page 



extraction program and an HTML page to generate an XML companion. To 
this end, the internal data format of the pattern instance base can be selectively 
mapped to XML by using the visual XML Translation Builder to generate an 
XML Translation Scheme which can be accessed by the Extractor. 

This paper is organized as follows. In Section!^ the visual wrapper generation 
of Lixto is explained in an example-based way, whereas Section |3] is devoted to 
a description of the syntax and semantics of Elog, in particular its predicates, 
and a description of filters and patterns and their relationships. Section gives 
an outline of the actual Lixto implementation. The final section describes some 
current and future work. For a general overview of Lixto, empirical results, and 
some comparison with competing tools we refer to jl]. For the details of one 
example, we refer to [3]. For further discussion of some advanced features of 
Lixto such as recursive aspects, we refer to [2j. 

2 User View 

We briefly describe how to work with the Extraction Pattern Builder. In particu- 
lar, the following screenshots (Figs. [3 [21 HD are taken from the new release of the 
current Lixto beta version. With Lixto, a wrapper designer can create a wrapper 
program in a fully visual and interactive way by teaching the system what to 
extract based on one (or more) example pages. Each such program consists of a 
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Fig. 2. Adding a filter extracting the tree region containing “next page” 



number of patterns. Each pattern characterizes one kind of information, e.g. all 
prices. 

After creating a new program and opening a sample document, the designer 
can start to define patterns. She selects a pattern type (tree, string or document 
pattern) and a pattern name. Patterns carry user-defined names which are also 
used as default XML tags. To each pattern one or more filters can be added. 
A pattern extracts the instances matched by all its filters. In our implemen- 
tation, when defining a filter, the designer selects an example instance and an 
attribute selection mechanism, and in the background the system generates a 
basic Elog rule representing this filter by choosing a suited element path and 
some attributes. Then the designer can test which instances are matched by the 
current filter. 

If undesired targets are matched, she has the choice to refine the filter by 
adding conditions to it. Filters are added as long as some desired pattern in- 
stances are not yet matched. Alternately imposing conditions and adding new 
filters the desired information can be perfectly characterized. 

Assume an example scenario in which a developer wishes to create a wrapper 
program for eBay. First, the wrapper designer chooses a relevant example page, 
e.g. a page on notebooks of a particular brand (Fig.[T]). Next, the designer adds 
a pattern which identifies records by simply choosing one example record, and 
adding additional conditions such as “somewhere before an instance a headline 
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must occur”, and “somewhere after an instance a horizontal rule image must 
occur” . After having constructed a record pattern, she chooses to add child pat- 
terns of record which characterize item descriptions, prices, dates and numbers 
of bids. In the case of dates she e.g. uses the fact that it is the last table data 
entry of a record. In the case of an item description, the wrapper relies on the 
occurrence of hyperlinks, and in case of prices, a term of the predefined concept 
isCurrency is required to be part of the contents. The generated Elog rules which 
are usually hidden from the wrapper designer are given in Figure El 

As the relevant information is not presented on a single eBay page only, but 
split over several, in this case 18 pages, the designer is interested in mapping 
the data of subsequent pages in the same fashion to the same XML document. 
Lixto allows the user to re-use the pattern structure defined for a single page 
due to support of recursive features. In this case, the designer uses the value of 
the “next” link (see Fig. mi, whose attribute value href is used for extracting 
further eBay documents. 

First, the wrapper designer clicks selects the “(next page)” element through 
two consecutive mouse-clicks directly in the browser display. Fig. [2] shows the 
manual attribute selection user interface. In this case, a unique match on each 
page is required. Therefore the wrapper designer imposes strict criteria such as 
that the content of the selected element has to contain the text “next page”. 
Alternatively, the wrapper designer could choose to enter a regular expression or 
predefined concepts. In this case, the filter matches exactly the desired instance, 
so there is no need to impose additional conditions. As next step, the wrapper 
designer adds a filter to ebaydocument which points to the parent next. In this 
way, the pattern structure is altered from a plain tree to a cyclic pattern graph, 
and extracted instances of next are used as input instances to extract further 
instances of ebaydocument. The resulting pattern graph is visualized in Lixto as 
partially expanded infinite tree (see Fig. HI). 

With the XML Translation Builder., a wrapper designer can define which 
patterns shall be mapped to XML and in which way. One can for instance define 
that all eBay records are treated on the same level, and that the next pattern 
is not written to XML. A part of the resulting XML companion is depicted in 
Figure |3] It can be used for further information processing. If the page structure 
does not change significantly, the Extractor will continue to work correctly on 
new pages, especially if rather stable conditions had been chosen by the wrap- 
per designer. Even designers neither familiar with HTML nor capable of script 
programming can create complex Lixto wrappers. 



3 Elog Language Definition 

3.1 Document Model and Extraction Mechanisms 

As explained in Elog operates on a tree representation of an HTML doc- 
ument. The nodes of the HTML tree are referred to as elements. Each element 
is associated with an attribute graph which stores pairs of attribute-designators 
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and corresponding attribute- values, a node number, and a start and end charac- 
ter offset. The extraction objects over which variables range are tree regions and 
string sources of a given HTML document. A tree region characterizes lists of 
elements (e.g. a list of three table rows) or single elements (e.g. a paragraph). A 
filter is internally represented as a “datalog like” rule. Conditions are reflected 
by additional body atoms. 



<bids>-</bids> 

<date>Jul-13 lS:55</d^te> 

<^pnrp'>$3nn.nn«r/nnrp:> 
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Fig. 3. XML output of eBay example 



W.r.t. tree extraction, as defined in |^, an element path definition character- 
izes a path with some additional attribute requirements and is hence very similar 
to an XPath query. As an example, consider .hr, [(size, 3), (width, .*)]). This 
element path definition identifies horizontal rules (the star acts as a wildcard) of 
size 3 with some specified width attribute (regardless of the attribute value due 
to “.*”). Observe that for a simpler language definition we recently introduced 
the hasProperty predicate to express the required attributes independently, in 
this example e.g. with has Property (X, size, 3) where X ranges over instances of 
. * .hr. Additionally, an attribute condition might refer to a variable (see Fig. E] 
in price) on which additional constraints are posed by some predicate. 

The second extraction method, string extraction is usually applied to the 
decompose the content value of a leaf element. A string definition is character- 
ized as regular expression in which additionally some variable references to e.g. 
predefined concepts might occur. As an example consider the string definitions 
occurring as second parameter of the subtext predicate in the rules defining cur- 
rency and amount in Figure 0 Additionally, attribute values can be extracted 
using an attribute definition, which is simply a particular attribute designator. 
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The built-in predicates of the Elog language implement basic extraction tasks. 
Elog predicates are atoms of the form P(ti, where P is a predicate name 

and ti . . .tn are either variables or constants whose values range over tree regions, 
string sources, constant path definition objects, and numerical arguments (such 
as distance parameters). The union of these classes is referred to as the Herbrand 
universe on which an Elog program operates. 



3.2 Extraction Definition Predicates 

Extraction definition predicates contain a variable which is instantiated with 
instances of a parent-pattern of the rule in which they occur, and based on 
the element path definition return instances of the new pattern. They form the 
basic body predicate of an extraction rule. Each Elog rule exactly contains one 
extraction definition predicate. These predicates form three different groups, 
depending if they extract a tree region, a string source, or a new document. 

— subelem{S,epd,X), subsq{S,epd, X)\ A ground instance subelem{s,epd,x) 
evaluates to true iff s is a tree region, epd an element path definition, x is a 
subtree in s and root{x) matches epd. subsq operates similarly, but extracts 
tree regions (a list of elements as one extraction instance). 

— subatt(S,ad,X), subtext{S, sd, X): The first predicate extracts from a tree 
region S attribute values of a given attribute definition ad as instances of X, 
whereas the second one extracts substrings which fulfill a string definition 
sd. Parent instances are tree regions in case of subatt, and may be both string 
or tree regions in case of subtext. 

— getDocument{S, X), getDocumentOfElref {S , X) extract from a given URL as 
instance of S (a string source in the first case, and in the second case, an 
instance of a tree region whose href attribute is considered) a new document 
as a tree region. 



3.3 Elog Rules and Patterns 

Filters are represented using Elog extraction rules. Rules contain condition atoms 
which are explained in the next section. 

A standard rule defines a component pattern A of a pattern S (thus, aggre- 
gation hierarchies can be defined). Standard rules are of the form: New{S, X) <— 
Par{-, S), Ex{S, A), Cd{S, A, . . .)[a, b], ..., [c, d\, where New and Par are pattern 
predicates referring to the pattern defined by this rule and its parent pattern. S 
is the parent variable to be instantiated with a parent-pattern instance, A is the 
target variable to be instantiated with an extracted pattern instance, Ex{S,X) 
is a tree (string) extraction definition atom, and the optional Cd{S,X, . . .) is 
a number of further imposed conditions on the target pattern. The extracted 
instances of a rule can be restricted to several intervals where [a, b] expresses 
that the instance number a up to instance number b is considered. Additionally, 
a rule extracts minimal instances only. 
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Fig. 4. Pattern Extended Entity Relationship Diagram 



A specialization rule specializes a pattern Old to a pattern New: 
New{S^X) ^ OZd(S', A), C'rf(S', A, . . .)[a, 5], [c, d]. A document rule 
extracts new documents from given URLs. It can use below men- 
tioned document conditions DocCd as restrictions: New{S,X) -<r- 

Par{-,S),getDocument{S,X),DocCd{S,X,...). Document filters can also 
refer to relative URLs by accessing the information stored in the previous URL. 

An Elog pattern (definition) p is a set of Elog rules with the same head 
predicate symbol. An Elog pattern is called homogeneous, if all its filters refer 
to the same parent pattern, otherwise heterogeneous. In case of a homogeneous 
pattern, the notion of “parent pattern” can be associated with a pattern rather 
than with its filters. It is forbidden to combine tree, string or document filters 
with each other within one pattern. The head predicate is an IDB predicate; it 
is visually defined with Lixto and named by the wrapper designer. This name 
is also used as default XML tag in the XML mapping [4]. Also the extracted 
instances of a pattern are minimized. In our current implementation, we chose 
to consider only those instances not contained in any other instance of the same 
parent-pattern instance. 

Patterns (and their filters) are restricted in their use of parent patterns and 
pattern references as depicted on the right-hand part of Figure 0 An arc from 
pattern a to 5 indicates that the filters of a pattern of kind a can refer to patterns 
of kind b as parents with using the mentioned extraction definition predicate. An 
EER diagram illustrating relationships between patterns and filters is given in 
Figure m on the left side, and Figure E] shows an EER diagram which illustrates 
filter and condition relationships in detail. 

The semantics of extraction rules is very similar to the semantics of standard 
datalog rules. There are two possibilities to assign a semantics to an Elog pro- 
gram. The first is to define an own semantics (which exploits many similarities 
to Datalog), the second is to rewrite an Elog program (see |2]) as Datalog pro- 
gram and apply the standard Datalog semantics. An Elog program differs from 
Datalog in the following aspects: 

— Built-In Predicates. In Elog several built-in predicates (e.g. subelem) are used 
which are restricted to a fixed input/output behavior. Moreover, constants 
for navigating tree regions and string sources are used. 
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Fig. 5. Filter Extended Entity Relationship Diagram 



— Range conditions. A rewriting of range conditions introduces new rules con- 
taining negation and generates a stratified Datalog program. In Elog, range 
conditions are applied after evaluating the rule and by removing all instances 
not within the range intervals. In case an Elog program uses ranges and arbi- 
trary pattern references, this intuitive meaning gets lost, and in the Datalog 
rewriting, the program is no longer stratified. 

— Minimizations. By default, in Elog both the instances extracted by a single 
rule, and by a pattern are minimized, i.e. just the minimal tree regions or 
strings are considered. Representing this in Datalog requires additional rules 
and further built-in predicates such as containedin. 

In the current implementation of Lixto, full Elog is not yet supported, as 
some syntactic restrictions are made. For example, use of pattern references is 
limited. 

3.4 Extraction Program and Pattern Instance Base 

An Elog extraction program P is a collection of Elog patterns. A program can be 
represented via its pattern graph |2] . A directed arc is drawn from one pattern to 
another one, if there is at least one filter referring to the first pattern as parent. 
The pattern graph is a tree in case of homogeneous programs. We denote by 
P(iJ) the pattern instance base created by evaluating all patterns of P over an 
HTML document H and storing them in their hierarchical order. The vertices 
of P{H) are all pattern instances extracted from P with start document P. 
There is an arc from vertex a to vertex b in P{E[) if and only if b is the parent- 
pattern instance of a. Each pattern instance is associated with a pattern name. 
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ebaydocmnent(S, X) 
ebaydocument(S, X) 
next(S, X) 

record(S, X) 



itemdes(S, X) 
price(S, X) 

bids(S,X) 

date(S, X) 
currency(S, X) 
amount (S, X) 



<— getDocument(S = $1,X) 

next( , S), getDocumentOfHref (S, X) 

■«— ebaydocument( , S), subelem(S, (^.content, [(href, .*), 
(elementtext, (next page))]),X) 
t— ebaydocument( , S), subelem(S, .table, X) 

before(S, X, (*.tr, [(elementtext, .* Current. <:)]), 0, 100, , ) 
after(S, X, (*.img, [(src, .* spacer.gif)]), 0, 100, , ) 

■«— record( , S), subelem(S, (*.td. * .content, [(href, .*)], X) 
t— record( , S), subelem(S, (*.td, [(elementtext, \var[Y].*)]), X), 
isCurrency(Y) 

■(— record( , S), subelem(S, *.td, X), before(S, X, .td, 0, 30, Y, ), 
price( ,Y) 

<— record( , S), subelem(S, *.td, X), notafter(S, X, .td, 100) 
t— price( , S), subtext(S, \var[Y], X), isCurrency(Y) 

■«— price( , S), subtext(S, [0 — 9]'*'\.[0 — O]"*", X) 



Fig. 6. Elog Extraction Program for linked eBay pages 



The pattern instance base is a forest of hierarchically ordered pattern instances. 
Each tree corresponds to the extracted values from one particular HTML doc- 
ument. The pattern instance base is an intermediate data representation used 
by the XML translation builder to create an XML translation scheme and a 
corresponding XML companion. 

As an example program, consider the eBay program in Figure[6l The pattern 
ebaydocument is a document pattern consisting of two filters with different par- 
ents. The first one refers to the starting document, which is in this case, fixed, 
whereas the second on follows the “next” link on each page. “$1” is interpreted 
as a constant whose value is the URL of the start document of a Lixto session. 
The used condition predicates are explained below. 

3.5 Context and Internal Condition Predicates 

Context condition predicates further restrain the instances matching an extrac- 
tion definition atom based on surroundings. In Figured we illustrate based on 
an example tree region, which nodes can be referred by context and internal con- 
ditions. By default, context conditions operate only within the current parent- 
pattern instance. Context conditions express that something must or must not 
occur before or after an instance. They can operate on tree regions or string 
sources, hence they use a string definition or an element path definition. 

In our actual implementation, the before and after conditions are further 
qualified by an interval (start, end) of relative distance parameters expressing 
how far the external element may occur from the desired pattern instance to be 
extracted. For an example of condition predicates, see the rule defining record in 
Figured There, an after and a before condition are used. The first two parame- 
ters are parent-instance and target-instance variable followed by an element path 
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definition; the next arguments indicate a minimum and a maximum distance, 
and the two final parameters are output variables. These are instantiated with 
the actual instance and the actual distance, and could be referred by further 
predicates. 

Further supported contextual condition predicates are above and below, which 
make use of an additionally defined attribute designator colno which expresses 
column numbers. A ground instance below{s, x, epd, y) evaluates to true iff s and 
X are tree regions, epd is an element path definition and j/ is a subtree of s such 
that root{y) is matched by epd, and y occurs before x and has the same value for 
the attribute colno. If a designer wants to extract the third column of a table, but 
only starting with the fifth line, then she first defines to use colno=3, and then 
imposes the condition that it occurs under the contents as given in the fifth entry 
(or some attribute information of the fifth entry), below is similar to after where 
epd contains “colpos= [value]” with the difference that the value depends on the 
colno value of the target instance and vice versa. Moreover, we offer the possibil- 
ity of contextual conditions which refer to elements outside the parent-pattern 
instance, e.g. within the “grandparent”, i.e. etc. Such an extended concept is 
very useful together with below/above predicates in hierarchical extraction. 

Internal condition predicates include contains, which is used for restricting 
extracted pattern instances based on properties contained in the instances them- 
selves, i.e. in the tree regions that constitute those instances. The firstsubtree 
condition states that the first child of a tree region must contain a particular 
element - this is very useful for defining lists of elements, as it gives the possi- 
bility to express that the first and last child must contain some elements with 
specific properties. 



3.6 Auxiliary Conditions and Conditions on Document Filters 

Concept predicates are unary or binary relations. They refer to semantic concepts 
such as isCity(X), expressing that the string is a city name, or syntactic ones 
like isDate(X,Y). Predicates like isDate{X,Y) can create an output variable 
- e.g. for an input date x, the system returns a date in normal form y. Some 
predicates are built-in, however more concepts can be added to the system using 
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the convenient Lixto concept editor. Moreover, for several concepts, comparison 
predicates allow to compare values (e.g. dates) such as < (X,Y). 

Pattern predicates of the head are the IDB predicates defined by the wrap- 
per designer. Those of the body refer to previously created patterns. Each 
matched pattern instance is element of one designated pattern; for example, 
price may be a pattern name and the matched targets are its instances. Each 
aggregation filter contains a reference to its parent pattern. Additionally, as 
discussed above, further pattern references are possible. For instance, a price 
pattern can be constructed by imposing the constraint that immediately be- 
fore a target of pattern item needs to occur, which is expressed in Elog as 
before{S, X , . * .content, 0, 1, Y, P),item{-, Y). 

Range conditions do not correspond to predicates in the usual sense. They 
allow a designer to express conditions on the cardinality of the set of targets 
extracted with a filter based on their order of appearance in the parent-pattern 
instance. Such restriction intervals need not to be contiguous, as a set of intervals 
can be used. Negative numbers reflect counting from the opposite side. 

On document filters the following conditions can be imposed: smaller{X,v) 
requires that the size of a Web page as instance of X is smaller than some 
given value v in KB. samedomain{X , Y) evaluates to true iff instances of X and 
Y (where Y is usually a constant) are URLs of the same domain. Moreover, 
one can specify a number v for each document pattern: If the pattern has been 
evaluated already for v times, then no further evaluation occurs. 

3.7 Input-Output Behavior of Elog Predicates 

As already mentioned, one additional feature of Elog is that built-in predicates 
have an input-output behavior (adornments) that prevents them from being 
freely used in Elog rules. An extraction definition predicate for instance uses a 
parent-pattern variable as input, and a pattern variable as output which is used 
as input variable in condition predicates. An atom can be evaluated only after all 
its input variables are bound to effective values. The following list specifies for 
each argument position of each built-in predicate the type, input (i) or output 
(o) of variables that occur within these position. An underscore indicates that 
the type (input/output) is irrelevant. 



suhelem{i, i, o) 


suhsq{i, i, o) 


subtext{i, i, o) 


subatt{i, i, o) 


getDocument{i, o) 


before{i, i, i, i, i, o, o) 


notbefore{i, i, i, i) 


below(i, i, i, o) 


contains{i, i, o) 


notcontains{i, i) 


firstsubtree{i, i) 


parentpattern{-, o) 


isPattern{i, i) 


isConcept{i) 


isConcept{i, o) 


compare {i, i) 



As an example of a unary concept, consider isCity(i), and of a binary concept, 
consider isDate(i,o). An example of a pattern reference is price (i,i), and an 
example of a comparison condition is < (i,i). 

The element path definition (string definition) is usually a constant input, 
but can additionally contain variables. These variables are treated as output 
variables. They occur in case of a reference to some concept atom (e.g. see the 




The Elog Web Extraction Language 559 




Fig. 8. Sketch of Lixto’s package structure 



above example rule defining price). The instances of each variable that occurs 
in an element path definition are as usual all possible matches. 

Consider the following example: price{S, X) ^ record{-, S), subelem{S,{. -k 
.td, [{elementtext, \var\Y].*)]) , X) ,isCurrency{Y) . The predicate record is eval- 
uated and all instances s of S' are generated; they are used to evaluate the ex- 
traction definition predicate, subelem computes possible instances x and y of X 
and Y based on the given tree path. All possible substitution instances {s,x,y) 
are stored. After y is bound, isCurrency(Y), is evaluated. 



4 Implementation and Package Structure 

Lixto is implemented entirely in Java. We chose to implement our own Elog 
interpreter instead of using an existing Datalog interpreter and rewriting rules 
into Datalog. Figure [3| gives an overview of Lixto's package structure: extrac- 
tion is the Elog interpreter. It is accessed by session, where the actual rule and 
condition creation is carried out. generation handles the pattern generation al- 
gorithm, which decides which action is followed by which step in the interactive 
creation process. Currently, two frontends are supported: A local client and a 
servlet frontend {web). The latter offers the wrapper designer the possibility to 
mark relevant data areas in her favorite browser, e.g. Netscape or Internet Ex- 
plorer. common contains shared objects and message files, whereas in concept 
the syntactic and semantic concept editors (for a sample screenshot see Fig. 
are located. 

5 Ramifications, Current and Futnre Work 

Various extensions of Elog are obvious such as using various forms of negation. 
Current theoretical research investigates the expressive power of Elog wrappers 
over unranked labeled trees. Further ramifications of Elog include universally 
quantified conditions and complement extraction, e.g. to remove advertisments 
of Web pages. Additionally, the framework of document navigation is being 
extended to also give the possibility to issue post requests. Moreover, current 
work is devoted to implementing consistency check alerts that can be defined in 
the XML translation builder: The user is given the choice to impose a required 
multiplicity of an element. Based on this, an XML document type definition 
can be created, and moreover, warnings are given if a criterion is not satisfied 
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Fig. 9. Lixto’s semantic concepts editor 



on some input Web page. A Pattern Description Language is being developed 
which translates Elog rules into colloquial expressions. A conversion tool that 
transforms a subset of Elog programs into XSLT will be developed, hence, for a 
limited class of programs, simply a stylesheet and an HTML page can be used to 
produce an XML companion. Finally, some AI methods will be added to support 
the user, and Lixto will be embedded into the InfoPipes framework j3]. 
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Abstract. Census data provide valuable insights on the economic, social and 
demographic conditions and trends occurring in a country. Census data is collected 
by means of millions of questionnaires, each one including the details of the 
persons living together in the same house. Before the data from the questionnaires 
is sent to the statisticians to be analysed, a cleaning phase (called “imputation”) 
is performed, in order to eliminate consistency problems, missing answers, or 
errors. It is important that the imputation step is done without altering the statistical 
validity of the collected data. The contribution of this paper is twofold. On the one 
hand, it provides a clear and well-founded declarative semantics to questionnaires 
and to the imputation problem. On the other hand, a correct modular encoding of 
the problem in the disjunctive logic programming language DLP™ , supported by 
the DLV system, is shown. It turns out that DLP™ is very well-suited for this goal. 
Census data repair appears to be a challenging application area for disjunctive 
logic programming. 



1 Introduction 

In most countries, a census of population is hold every five or ten years. The census 
consistently updates the most fundamental source of information about a country. The 
collected information provides a statistical portrait of the country and its people. The 
census is the only reliable source of detailed data for small population groups such as the 
very elderly or specific indusfrial and occupational categories, and for small geographic 
areas such as, for example, a city neighbourhood. Census data can be used in many 
ways such as providing the boundaries for federal electoral districts, helping businesses 
to select new manufacturing sites, analysing markets for products and services, and to 
develop employment policies and programs. 

Each family compiles a questionnaire, which includes the details of the head of the 
household (householder) together with the other persons living in the house. The forms 
are collected and then analysed by statistical agencies in order to modify and update the 
population household statistics. Questionnaires may be incomplete and/or may contain 
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inconsistent information. It turns out that a significant proportion of the forms have 
problems of this kind, which if not corrected could severely alter the updated statistics. 
There are millions of questionnaires to be processed each time, and it is desirable to 
employ methodologies to detect (edit) and automatically resolve {impute) errors in the 
forms. All the methodologies currently employed by the census agencies - including 
the most popular Fellegi and Holt methodology f71| - are based on statistical principles, 
which do not have a clear semantics with respect to the complexity of the various errors 
that may happen, so that their behaviour while imputing the data is often unpredictable. 
Moreover, it is difficult to compare the various methodologies, since they are defined 
only on a procedural basis. 

The first contribution of this paper is to define in a pure classical logic setting the 
semantics of the edit and imputation problems. The approach is very general and very 
expressive, since it makes use of full First Order Logic. In Section |4] the framework 
is defined in its generality, while making use of a simplified basic questionnaire as a 
running example. The advantage of this approach is the ability to specify in a declarative 
fashion the characteristics of the census questionnaire, the intra- and inter-questions 
constraints, and the additional statistical information required to guide the corrections. 
This is the first proposal in the literature making use of Logic at all the stages of the 
definition of the problem. 

The second important contribution of the paper is to provide a correct encoding of 
the edit and imputation problems in an executable specification using an extension of 
disjunctive logic programming. In Section |5] we provide the rationale of the modular 
encoding, together with partial translations of the running example. For this purpose, 
disjunctive logic programming extended with two kinds of constraints has been used 
(see SectionlH). The idea is that the preferred models of the logic program encoding the 
problem correspond to the repairs of a given questionnaire. It turns out that the solution 
of this challenging problem requires most of the expressive capabilities of disjunctive 
logic programming with constraints. Importantly, this disjunctive logic programming 
language is supported by DLV ED, a system which is freely available on the web, and 
can therefore be used to obtain an immediate implementation. Preliminary results of an 
experimentation activity carried out at the Italian National Statistical Institute show that 
the approach is viable also from the viewpoint of performance. 



2 The Census Questionnaire 

A household is a group of persons who occupy the whole or part of a housing unit and 
provide themselves with food and possibly other essentials for living. It is customary 
that, during the census of population periodically carried out by every country, a single 
questionnaire is associated to each household, involving questions about each member 
of the household. The notion of household may vary from country to country and it is in 
general to be distinguished from the notion of family. In the context of this paper we will 
not consider all the subtleties which make each census different from each other, but we 
will maintain an abstract level which could be adapted to the different situations, and 
nonetheless it will be in agreement with the recommendations for the 2000 European 
censuses of population EJ]. In this Section, a basic questionnaire will be introduced, 
including all the core attributes (also called variables) considered in most censuses; the 
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semantic definitions and the methodology presented in this paper can be easily extended 
to handle all the variables of a complete questionnaire. 

Each questionnaire is centred around the notion of reference person. For statistical 
purposes, all persons living in private households are identihed from their relationship to 
the reference member of the household. It is outside the scope of this paper to understand 
how the various administrations define and select the one reference person in a household 
to whom all other persons in the household report or designate their relationship. In order 
to identify members of the household, an integer number is assigned to each person, with 
the number “1” reserved to identify the reference person. The following classihcation 
of persons living in a private household by relationship to the household’s reference 
person is adopted in a basic questionnaire: Spouse; Partner; Child; Parent; Other relative 
of reference person, spouse or partner; Non-relative of reference person, spouse, or 
partner. 

The other structural attributes - to be specihed for each member of the household 
- considered to be part of a basic questionnaire are: Sex: Male, Female; Age: integer 
number; Marital Status: Single, Married, Divorced, Widowed. 

A census form to be compiled by the members of a household will then contain, for 
each member, questions for at least each of the above attributes. 

3 Dealing with Missing and Inconsistent Data 

When the millions of compiled forms are returned to the national central statistical 
agency to be analysed, they may contain many errors, such as missing or inconsistent 
data. For example, it is possible that a person declared to be the spouse of the reference 
person, but at the same time he/she forgot to declare a marital status, or he/she declared 
to be single, or to be 6 years old. Before the data from the questionnaires is sent to the 
statisticians to be analysed, a cleaning phase is performed, in order to eliminate missing 
values or inconsistencies. It is very important that this step is done without altering the 
(statistical) validity of the collected data. For example, if the spouse declared to be 6 
years old, and if there are other arguments to enforce that he/she is actually the spouse of 
the reference person (for example, he/she may have additionally declared to be married), 
then his/her age should be changed to make the data consistent: any age, say, greater 
than 16 years would be hne if only absolute validity of the data is taken into account. 
However, the age should be changed to an age in agreement with the average age for a 
spouse in his/her conditions, and not with a value which may alter the statistics. In this 
case, it would be more sensible to change the age to, say, 36 years, rather than to 96 years 
(there are very few people of that age, and this would alter the statistics of old people) 
or to 16 years (there are very few people who are married at that age). Other corrections 
can be done deterministically - in the sense that there is only one valid change, which 
is also a statistically valid change - for example for a spouse who forgot to specify the 
marital status, and for which asserting that he/she is married does not introduce any other 
inconsistency. 

For these reasons, a collection of edit rules is introduced by the statistical agencies for 
each questionnaire class, in order to understand whether a questionnaire is consistent, 
and to guide the repair of inconsistent questionnaires. The process of automatically 
producing a set of statistically consistent questionnaires from the raw ones is called 
imputation. 
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4 Formalisation of the Imputation Problem 

We define a questionnaire Q as a pair (r, E), where r is a relation (i.e., a finite set of 
tuples) over the schema 

sch : Rf PersonId , Relationship. Sex, Age, MaritalStatus) 

that encodes the answers of a household to the questionnaire, and i? is a finite set of first 
order (short: FO) formulas encoding the edit rules that r should satisfy. Note that, in this 
paper, we will only use relations with the above schema sch. Thus, hereafter, we will 
always omit to specify the schema of a relation. Hence, e.g., by “all relations” we will 
mean “all relations over schema sch”. Note also that the imputation problem is defined 
with respect single questionnaires only. Therefore, the edit rules are associated to each 
single questionnaire. Of course, the edit rules are the same for all questionnaires. 

The Personid attribute is key for any relation r over sch, and the domain of each 
attribute is the hnite set of values specified in Section |2 with in addition the special null 
value. Null values encode missing answers in the questionnaire. The edit rules, encoded 
through the FO sentences E, play the role of integrity constraints over the relation R. 
In these formulas the predicate R, additional comparison predicates over the domains, 
and constants for domain values may occur. We say that Q is a complete questionnaire 
if no null value occur in the tuples of r, and that Q is a consistent questionnaire if it is 
complete and r is model for the theory E, i.e., r \= E. 

Example 1 Consider a questionnaire Qi = (ri, £li), where ri is the following relation: 



Personid Relationship Sex Age Marital Status 

1 reference F 31 married 

2 spouse M 39 married 



and where Ei is the following set of edit rules: 

1 . a spouse of the reference person should be married (but not necessarily vice versa): 
Vx. 3y Vi V 2 - R{x, spouse, Vi,V 2 ,y) y = married; 

2. (formal) cohabitant partners of the reference person can not be married with some- 
body else (i.e., they should be either single, or divorced, or widowed): 

Vx. 3y Vi V 2 - R{x, partner, Vi,V 2 , y) ^ y ^ married; 

3. the reference person cannot be married with more than one person: 

'ixy. t >2 f 3 Vi vq.R{x, spouse, v\,V 2 ,v^) A 

R{y, spouse, V4, V5, Vq) ^ x = y 

4. the reference person and its spouse should have a different sex: 

Vx. 3y vi V 2 V 3 z Vi V 5 . R{x, spouse, y, t>i, W 2 ) A i?(l, V 3 , z, Vi, v^) ^ y z\ 

5. any married person should be at least 16 years old: 

Vx. 3y vi V 2 - i?(x,ni,n 2 , 2 /, married) — y > 16; 

6. the difference in age between a parent and a child should be bigger than 12 years: 
\/x.3yzvi V 2 V 3 ViV 3 .R{x,c\)i\d,vi,y,V 2 ) -)> {R{l,V 3 ,Vi,z,V 3 )^{z-y) > 12), 
and 

\/x. 3y z Vi V 2 V 3 Vi V 5 . R{x, parent, vi,y,V 2 ) -)> {R{l,V 3 ,Vi, z,V 5 ) A 

(y-z)> 12). 
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The questionnaire Qi is consistent and complete, as no null value occur in ri and 
all the edit rules are satisfied by ri . 

If a questionnaire Q = (r, E) is not complete and/or not consistent, then we should 
repair it, providing some new corrected relation denoting a complete and consistent 
questionnaire. 

Definition 1 (Admissible Repair). Let Q = (r, E) be a questionnaire and p a mapping 
from tuples over sch to tuples over sch. We say that such a mapping is a repair for Q. 
For a relation r, denote by p{f) the relation {p{t) | f C r}. p is an admissible repair for 
Q if (p(r) , i?) is a complete and consistent questionnaire. 

Example 2 Consider the questionnaire Q 2 = {t 2 ,Ei), where Ei is the set of edit rules 
in Example [H and r 2 is the following relation: 



Personid Relationship Sex Age Marital Status 

1 reference F 31 married 

2 spouse M 39 null 



An admissible repair for this questionnaire is the mapping p 2 saying that the reference 
person has an unmarried partner, i.e., the mapping that changes the second tuple to 
(2, partner, M, 39, single) and leaves untouched the first tuple. 

Starting from the observation that the errors in the compilation of a form are excep- 
tions, we make our best guess for a corrected questionnaire by minimising the changes to 
the original relation leading to a complete and consistent questionnaire. For this purpose, 
we introduce a measure of the number of changes that a repair makes to the relation of 
a questionnaire. For two tuples t = (ui, . . . , Vm) and /' = {v[, . . . , v'^), let dist{t, t') 
be the number of values Vj occurring in t that differ from the corresponding values in 
t' , i.e., such that Vj ^ vl. Let Q = (r, E) be a questionnaire and p a repair for it; we 
define changes{p, Q) = dist(t, p{t)). 

Definition 2 (Minimal Repair). An admissible repair p for a questionnaire Q is minimal 
if changes (p, Q) is the minimum number of changes over all possible admissible repairs 
for Q. 

Example 3 Consider again the questionnaire Q 2 = {r 2 ^ £’ 1 ) in Example The ques- 
tionnaire has only a minimal repair, p' 2 , namely the one where the null value is replaced 
by the ’married’ marital status for the spouse of the reference person: 



Personid Relationship Sex Age Marital Status 

1 reference F 31 married 

2 spouse M 39 married 



Note that the repair p 2 in the previous example is not minimal. Indeed, it changes 
both the relationship and the marital status for person 2 and hence changes{p 2 , Q 2 ) = 2, 
while changes{p 2 , Q 2 ) = 1- 
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In general, there are many possible minimal repairs for an inconsistent and/or incom- 
plete questionnaire. We should then choose one of the minimal repairs without altering 
the statistical properties of the census. This can be obtained by exploiting some extra 
information about the census domain, possibly old statistics concerning the same pop- 
ulation. Such information can be encoded through a set of FO formulas P that we call 
preference rules, used for expressing some preferences over the repaired relation r' , 
dehned as r' = p{r), given r. To distinguish the two relations within the same formula, 
we use a different predicate symbol R' for the repaired relation r': therefore, formulas 
in P refer to both the predicates R and R' . Intuitively, a preference rule specihes a 
preferred way to repair the data of a person under some circumstances. The preference 
rules should be satished by as many persons in the household as possible. In order to 
introduce such a measure, we exploit that each person is uniquely identified by her/his 
Personid, and we dehne preference rules as open formulas with one free variable x 
ranging over the domain of the key attribute Personid. Therefore, these rules are in fact 
FO queries, telling how many tuples (i.e., how many persons) do actually satisfy them. 

Given a substitution 9 for the variable x in the domain of the key attribute, 
denotes the FO sentence obtained by replacing the variable x according to 9. For a 
preference rule and the relations r and r' , we define 

4>x{r,r') = {9x\ \r,r'] h hx}- 

where [r, r'] denotes the interpretation induced by the two relation instances r and r' 
over predicates R and R' , respectively. Intuitively, the relation contains the 

members of the household whose repair r' satishes the preference rule f. If r')\ 
denotes the number of tuples in for a set of preference rules P we define 

\P{r,r')\ = 

Example 4 Consider the following preference rule : 

Vsi, ai,S2j 02- reference, sijOi, married) A null, S2, 02, married) — 

R'{x, spouse, S2, 02, married) 

This rule expresses that it is likely for a married person living in the household, whose 
relationship with the reference person is unknown, to be his/her spouse. 

Preference rules are used to establish an ordering within the minimal repairs of a 
questionnaire. Intuitively, when we change some value in order to repair inconsistencies 
and/or to replace null values, we want to satisfy as many preference rules as possible. 
Now we are ready to give a formal dehnition of the imputation problem. 

Definition 3 (Preferred Repair). A preferred repair p for a questionnaire Q is a mini- 
mal repair such that the number of satisfied preference rules \P{r, p{r)) \ is the greatest 
over all minimal repairs for Q. 

Definition 4 (Imputation Problem). Let Q = (r, E) be a questionnaire and P a set 
of preference rules, expressed as open FO formulas over predicates R and R' . The 
imputation problem for Q with respect to P is the problem of finding a preferred repair 
p for Q. 
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Please note that each imputation problem involves only the data of a single household 
- i.e., it should be computed for each census form at a time without considered the rest 
of the data. Thus, the size of the problem is relatively small. This includes the number of 
family members, the number of the attributes defining a questionnaire and the size of their 
domains, and the number of the edit and preference rules which are in total usually less 
between 50 and 100 for a standard complete census questionnaire. A crucial parameter 
is the size of the domains; as we have seen, these sizes are not usually large, with 
the exception of the domain of the age attribute. To overcome this problem, usually the 
domain of the age attribute is partitioned into age intervals. According to our experience, 
edit rules are also not a source of complexity: they tend to have a rather standard structure. 

Example 5 Consider the questionnaire = (rs, i?i), where Ei is the set of edit rules 
in Example [T] and is the following relation: 



Personid Relationship Sex Age Marital Status 

1 reference F 31 married 

2 null M 39 married 



Note that there is no unique way to provide the missing ’relationship’ value for 
the second tuple of r^. The person identified by 2 may be another relative or a non- 
relative belonging to the household, or the spouse of the reference person (but not a 
partner, child, or parent). All these alternative belong to the set of the minimal repairs 
for Q 3 . However, as specified by the preference rule stated above, most married couples 
live together, and hence we should probably prefer the “spouse” repair. Let be the 
minimal repair that leaves untouched the first tuple of and maps its second tuple 
to (2, spouse, M, 39, married). Moreover, let rg = Psirs). Then, = {1)2}, 

because (j>x is satisfied by [rg, both substituting x with 1 and substituting x with 2 . 
Consider a repair pg where the second tuple is mapped to (2, relative, M, 39, married). 
In this case, p'^ir^)) = {1}, because the tuple for person 2 does not satisfy <px- 

Thus, as expected, the unique solution of the imputation problem for Qg w.r.t. P is 
the repair pg giving the following relation = pg(rg). 



Personid Relationship Sex Age Marital Status 

1 reference F 31 married 

2 spouse M 39 married 



Example 6 Consider the questionnaire Q 4 = (r 4 ,Ei), where Ei is the set of edit rules 
in Example [T] and V 4 is the following relation: 



Personid Relationship Sex Age Marital Status 

1 reference F 31 married 

2 parent M 6 widowed 
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It is easy to see that the set of minimal repairs of Q4 includes any questionnaire which 
is obtained by Q4 by substituting the age of the parent with any value between 47 and 
120 (the maximum age). We should not prefer a too big or a too small age difference for 
average parent-child pairs. This can be expressed through the following preference rule 
stating that we prefer age differences in the range ( 25 , 35 ); 

Vs'^ , S2 , s'2 , a '^ , 02 , a'2 , m [ , m2 , m'2. 

parent, S2, 02, m2) A reference, s'^, o'^, m'^) — >■ 

R'{x, parent, s'2, a'2, m'2) A 25 < (a'2 — a'l) < 35 

The following is not among the minimal repairs of Q4, since it does not involve a 
minimal number of changes: 



Personid Relationship Sex Age Marital Status 

1 reference F 31 married 

2 child M 6 single 



5 Disjunctive Logic Programming with Constraints 

In this section we describe disjunctive logic programming language with constraints 
(DTP*") m, which is supported by the DLV system H 5 I 6 II . We will use DTP*" in Section 
E]to implement our approach to repair inconsistent census data. We first provide an 
informal description of the DTP™ language by examples, and we then supply a formal 
definition of the syntax and semantics of DTP’". 

5.1 DTP’" by Examples 

Consider the problem SCHEDULING, consisting in the scheduling of course examina- 
tions. We want to assign course exams to time slots in such a way that no two exams 
are assigned to the same time slot if the corresponding courses have some student in 
common - we call such courses “incompatible”. Supposing that there are three time slots 
available, tsi, ts2 and ts^, we express the problem in DLP™ by the following program 

T’sch' 



ri : assign(X,tsi) V assign(X,ts2) V assign(X,ts4) course(X) 

Si : assign(X, S),assign(Y, S),incompatible(X,Y) 

Here we assumed that the courses and the pair of incompatible courses are specified 
by input facts with predicate course and incompatible, respectively. Rule ri says that 
each course is assigned to either one of the three time slots tsi, ts2 or ts3\ the strong 
constraint si (a rule with empty head) expresses that no two incompatible courses can 
be assigned to the same time slot. In general, the presence of strong constraints modifies 
the semantics of a program by discarding all models which do not satisfy some of them. 
Clearly, it may happen that no model satisfies all constraints. For instance, in a specific 
instance of above problem, there could be no way to assign courses to time slots without 
having some overlapping between incompatible courses. In this case, the problem does 
not admit any solution. However, in real life, one is often satisfied with an approximate 



Census Data Repair: A Challenging Application of Disjunctive Logic Programming 



569 



solution, in which constraints are satisfied as much as possible. In this light, the problem 
at hand can be restated as follows (APPROX SCHEDULING): “assign courses to time 
slots trying not to overlap incompatible courses”. In order to express this problem we 
introduce the notion of weak constraint, as shown by the following program Va_sch' 

Ti : assign{X,tsi) V assign{X,ts2) V assign{X,ts^) :— course(X) 
wi : assign{X, S), assign(Y, S) , incompatible {X , Y) 

From a syntactical point of view, a weak constraint is like a strong one where the 
implication symbol :— is replaced by .The semantics of weak constraints minimises 
the number of violated instances of constraints. An informal reading of the above weak 
constraint wi is: “preferably, do not assign the courses X and Y to the same time slot if 
they are incompatible”. Note that the above two programs Vsch and Va_sch have exactly 
the same preferred models if all incompatible courses can be assigned to different time 
slots (i.e., if the problem admits an “exact” solution). 

In general, the informal meaning of a weak constraint, say, B, is "try to falsify 
B" or "B is preferably false", etc. Weak constraints are very powerful for capturing the 
concept of “preference” in commonsense reasoning. 

Since preferences may have, in real life, different priorities, weak constraints in 
DLP*" can be assigned different priorities as well, according to their “importance’^]. For 
example, consider the case when incompatibilities among courses have different defea- 
sibility degree - e.g., basic courses with common students should be considered with a 
higher degree of incompatibility than advanced courses. Consider the following problem 
(SCHEDULING WITH PRIORITIES): “schedule courses by trying to avoid overlap- 
ping between basic incompatible courses first, and then by trying to avoid overlapping 
between advanced incompatible courses” (i.e., privilege the elimination of overlapping 
between basic incompatible courses). If incompatibilities are specified through input 
facts with predicates basic-incompatible and advanced-incompatible, we can repre- 
sent SCHEDULING WITH PRIORITIES by the following program Vp_sch- 

Ti : assign{X,tsi) V assign{X,ts2) V assign{X,ts3) course(X) 

W2 ■ assign(X, S),assign(Y, S), basic jincompatible{X,Y) [: 2] 

W3 : assign{X, S),assign(Y, S),advancedJncompatible{X,Y) [: 1] 

The weak constraint W2 is defined “stronger than” W3, since W2 has a higher priority 
(2) than W3 (1). The preferred models (called best models) of the above program are 
the assignments of courses to time slots that minimise the number of overlappings 
between basic incompatible courses and, among these, the assignments which minimise 
the number of overlappings between advanced incompatible courses. 

5.2 Syntax 

A term is either a constant or a variablejH An atom is of the form a(ti, ..., tn), where a 
is a predicate of arity n and ti, ..., are terms. A literal is either a positive literal p or 
a negative literal not p, where p is an atom. 

' Note that priorities are meaningless for strong constraints, since all of them must he satisfied. 

^ Note that function symbols are not part of datalog. 
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A (disjunctive) rule r is a clause of the form 



ai V • • • V an bi, • • • , bij, not b^+i, • • • , not bj,. n > 1, m > 0 

where ai, • • • , an, bi, • • • , b^ are atoms. The disjunction oi V • • • V a„ is the head of r, 
while the conjunction bi, 6^, not 6fe+i, not bm is the body of r. If n = 1 (i.e., the 
head is V-free), then r is normal', ifm = k (the body is not -free), then r is positive. 

A strong constraint (integrity constraint) has the form Li, • • • , Lj,., where each 
Li, 1 < i < TO , is a literal; it is a rule with empty head. 

A -weak constraint has the form Li, • • • , L„i.[: l], where each Li, 1 < i < m, 
is a literal and I is a term. I denotes the priority layer, once the weak constraint has 
been instantiated I should be a positive integei0. If the priority level I is omitted, then it 
defaults to 1 . 

The language DLP’" include all possible rules and constraints (weak and strong). A 
DLP*" program V is a finite subset of the language DLP’" . 

5.3 Semantics 

Informally, the semantics of a DLP“ program V is given by the stable models of the set 
of the rules of V satisfying all strong constraints and minimising the number of violated 
weak constraints according to the prioritisation. 

The Herbrand Universe, the Herbrand Base, and the ground instantiation ground{V) 
of a DLP”’ program V are defined in the usual way. Let P, S, and W be, respectively, 
the set of ground instances of the rules, the strong constraints, and the weak constraints 
of a DLP™ program V. An interpretation I for V is a subset of the Herbrand Base of V 
(i.e., it is a set of ground atoms). A positive ground literal A is true w.r.t. I if A G P, 
otherwise it is false w.r.t. I. A negative ground literal not A is true w.r.t. / if A ^ 
otherwise it is false w.r.t. I. A ground rule r G P is satisfied in I if some head literal 
of r is true or some body literal of r is false w.r.t. I. A constraint (strong or weak) c is 
satisfied in I, if some literal of c is false w.r.t. I. An interpretation satisfying all rules of 
P is a model of P. The Gelfond-Lifschitz transformation of P with respect to I, denoted 
by P^, is the positive program defined as follows: 

p-f = { ai V • • • V a„ &i, - • • ,5fc| 

ai V • • • V a„ &i, • • • -'bk+i, ■ ■ ■ ,-'6m G P and h ^ I, k <i<m} 

/ is a stable model for P if / is a subset-minimal model of P^. A candidate model of V 

is a stable model of P which satisfies each strong constraint in S. 

For the weak constraints, only those candidate models are considered which minimise 
the number of the violated (weak) constraints in the greatest priority layer, and among 
them those which minimise the number of the violated constraints in the previous layer, 
etc. This can be expressed by an objective function for V and a candidate model M : 

/( 1 ) = 1 

/(n) = f(n — 1) • WC -F 1, if n > 1 

Hm = • \ \violated(M,i)\\) 

^ Note that the language of DLV supports also weights besides layers. Since we do not use them 
in our application, we omit the weights to simplify the presentation. 
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where W C denotes the total number of weak constraints in V, maXi denotes the maxi- 
mum priority layer in V, \ \violated{M , i) \ \ denotes the number of weak constraints in 
layer i which are violated w.r.t. M. A candidate model of V for which Hm is minimal 
among all candidate models of P is a best model of V. 

As an example, consider the following program Vg 

aV b c. a, c. [: 2 ] 

c. b. [: 1] 

The stable models for the set { c. a V 6 c.} of ground rules of this example are 

Ml = {a, c} and M 2 = {b, c}, they are also the candidate models, since there is no 
strong constraint. In this case, WC = 2, and maxj = 2. Thus, /(I) = 1, /(2) = 3, 
Hmi = 3,andiLM2 = 1. So M 2 is preferred over Mi (M 2 is abestmodelofPs). Indeed, 
Ml violates the more important weak constraint having level 2; while M 2 violates only 
a weak constraint of level 1 . 

6 Solving the Imputation Problem 

In this section we show how to solve the imputation problem using a disjunctive logic 
program with weak constraints Q whose best models correspond to the preferred repairs 
of a given questionnaire. This program first verifies if fhe input data satisfies the edit rules 
or contains null values, i.e., if the questionnaire is consistent and complete. If this is the 
case, then the program has a unique best model corresponding to the given questionnaire, 
unmodified. Otherwise, the program corrects automatically the data, and each of its best 
models encodes a preferred repair, i.e., it maximises the number of satisfied preference 
rules). 

6.1 Running Example 

As a running example we consider fhe quesfionnaire Q 5 = {r^, Ei) and fhe preference 
rules (j>x of Example [Hand of Example 0. Ei is fhe sef of edif rules in Example [H 
and T 5 is the following relation: 



Personid Relationship Sex Age Marital Status 

1 reference F 31 single 

2 parent null 12 widowed 



The questionnaire is incomplete (it is not specified the sex for the person “2”) and 
inconsistent with respect to the edit rule 6 from E\ ( the person “2” is a parent of the 
reference person and she/he is 12 years old). 

6.2 Data Representation 

Each component of a household is identified by an integer number. The number “1” 
identifies the reference person. The questionnaire relation is encoded by the following 
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EDB binary predicates: relationship, age, maritalstatus, and sex. For each 
atom over these predicates, the first argument corresponds to the identification number 
of a person, while the domain for the second argument depends on the predicate, as 
described below: 

- relationship: reference, spouse, partner, son, parent, otherRelative, nonRelative, 

- sex: male, female, 

- marital status: single, married, divorced, widowed, 

- age: integer number. 

For instance, an atom relationship (2 , spouse) indicates that the household compo- 
nent with identification number “2” is the spouse of the reference person. In our running 
example the relation is represented by the following set of facts: 

{relationshipCl , reference) , sex(l , female) , age(l,31), 
maritalstatus ( 1 , single) 

relationship(2, parent) , age(2,12), maritalstatus (2 , widowed) } 

The relation corresponding to a preferred repair for the given questionnaire is encoded 
through a set of facts with the same name as the predicates encoding the input relation, but 
capitalised. For instance. Age (1 , 33) means that the reference person is aged 33 in the 
preferred repair. Therefore, the “output” relation corresponding to a preferred repair is 
represented by the following IDB predicates: Relationship , Age , Maritalstatus, 
and Sex. 



6.3 Description of the DLP“ Program 

The DTP™ program consists of the following five modules automatically generated from 
the edit rules: 

- detection of errors and missing data; 

- generation of possible correction of data values; 

- admissible repairs check; 

- minimal repairs generation; 

- preferred repairs generation. 

Next, we describe the five modules. To help the intuition, we carry out an informal 
description by referring to the running example. 

Detection of Errors and Missing Data. This module verifies fhaf the input data is correct 
(i.e., there is no inconsistency w.r.t some edit rule) and that there is no missing information 
about the components of the household (i.e., for each person, there exists a tuple for each 
of the predicates). If either some null value or some error is detected in any input atom, 
this module derives a corresponding atom over the predicates wrongRelationship, 
wrongAge, wrongMaritalStatus, and wrongSex. Missing values are identified by 
using negation. For instance, consider the input predicate relationship. The following 
rules detect if we miss the relationship information for some member of the household: 
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specif iedRelationship(X) relationship(X,Y) . 

wrongRelationshipCX, missing) not specif iedRelationship(X) , 

person(X) . 

If a relationship of a person X is not specified, the wrongRelationship (X .missing) 
atom is derived. This means that it is necessary to complete the data. In the running 
example, since the sex of the person “2” is not specified , fhe module derives the atom 
wrongSex(2 .missing) . 

In order to detect errors, the DLP™ program includes rules corresponding to the edit 
rules of the questionnaire, that single out inconsistencies. If an edit rule is violated, then 
the corresponding rule of the module detects this situation and provides some atoms, 
which may be responsible for this violation. For instance, consider the edit rule 5 in the 
running example, which says that any married person should be at least 16 years old. 
The following rule suggests that, in the case of violation for a person X, either the age 
or the marital status of X is wrong: 

wrongMaritalStatusCX, married) v wrongAge(X.Z):- 
maritalstatusCX, married) ,age(X,Z) ,Z<16. 

Note that, for presentation clarity, we made a simplifying assumption. We assume that 
a violated edit rule does not need to change more than one atom to be satisfied (e.g. 
either marital status or age can be changed in the above rule, but we assume that we do 
not need to change both). Even if this assumption is plausible we can easily relax it by 
modifying the encoding. 

Generation of Possible Corrections of Data Values. The previous module derives atoms 
of the form wrongSomething corresponding to wrong values that caused the violation 
of some edit rule. For each of them, we should provide a new value for the repaired 
questionnaire. This is accomplished by disjunctive rules whose heads contain an atom 
for each domain value, representing a candidate change for the guilty atom. 

For instance, the following rule guesses a value for the (output) sex predicate Sex, 
if the sex is wrong: 

Sex(X.male) v Sex(X, female) wrongSex(X,_) . 

In the previous module, since we derived wrongSex (2 .missing), a new value for the 
output predicate Sex is guessed. 

Admissible Repairs Check. Once we have guessed a repair for the given questionnaire, 
we have to check if the repair is admissible. This is accomplished by integrity constraints 
over the output predicates that encode the edit rules of the questionnaire. Thus, the output 
atoms occurring in the candidate models of the program so far correspond to admissible 
repairs for the questionnaire. 

For instance, consider the edit rule 1 stating that the spouse of the reference person 
should be married, and the edit rule 5 stating that any non single person should be at 
least 16 years old. They are encoded by the following constraints: 

RelationshipCX, spouse) , MaritalStatus(X.Y) , YOmarried. 
MaritalStatus(X.Y) , YOsingle, Age(X.Z), Z<16. 
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A candidate model for the program of the running example ifl 

A=-[wrongSex (2, missing) , wrongAge (2, 12) , RelationshipCl .reference) , 
Sex(l .female) , Age(1.31). MaritalStatus (1 . single) . 
Relationship(2 .parent) . Sex(2. female) . Age(2.70). 

MaritalStatus (2 .widowed) F 

corresponding to the following repair: 



Personid Relationship Sex Age Marital Status 

1 reference F 31 single 

2 parent F 70 widowed 



Another candidate model for this program is 

A’={wrongSex(2. missing) . wrongRelationship(2. parent) . 

RelationshipCl .reference) . Sex(l. female) . Aged. 31). 
MaritalStatus (1 . single) Relationship(2.child) . Sex(2.male). 
Age (2. 12) . MaritalStatus (2. single)} 

corresponding to the following repair: 



Personid Relationship Sex Age Marital Status 

1 reference F 31 single 

2 child M 12 single 



Minimal Repairs Generation. To enforce the computation of the only candidate models 
corresponding to minimal repairs of the questionnaire, we exploit the weak constraints 
extension of disjunctive logic programming. Using weak constraints, we can assign a 
penalty to each value change we make to the input questionnaire. This is accomplished 
hy the following constraints: 

relationship(X.Y) , Relationship(X.Z) , ZOY. [:2] 
age(X.Y), Age(X.Z), ZOY. [:2] 
sex(X.Y), Sex(X.Z), ZOY. [:2] 

maritalstatus(X.Y) , MaritalStatus (X, Z) , ZOY. [:2] 

Note that we use level 2 priority for the weak constraints above, because minimisation 
of changes has the highest priority in the imputation problem (as defined in Section|4), 
and we will use level 1 priority for specifying less important properties below. 

The candidate model A ’ above violates three weak constraints, while the candidate 
model A violates two weak constraints. Thus, A is a best model of the program, and it 
corresponds to a minimal repair for Q^. 

We omit to specify the input facts again in the models. 
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Preferred-Repairs Generation. To maximise the number of satisfied preference rules 
(DefinitionEl), we use again weak constraints. The module contains a weak constraint 
for each preference rule. This constraint assigns a penalty for each violation of the 
corresponding preference rule. These weak constraints have level 1 priority, since they 
have a lower priority than the weak constraints enforcing minimisations of changes. 
Indeed, by definition of the imputation problem, the preferred repairs should be chosen 
among the minimal repairs for the questionnaire. Thus, the candidate model of the 
program minimising the cost of weak constraints encodes the preferred repair for the 
questionnaire. 

For instance, the following weak constraint corresponds to the preference rule of the 
running example stating that, if the reference person is married and some other married 
person is in the household, then we prefer the situation in which they are married each 
other: 

MaritalStatus (1 .married) , MaritalStatus (X, married) , 

Relationship(X.Y) , Y <> spouse, X <> 1. [:1] 

The candidate model A is a minimal repair but it is not the preferred repair for Q 5 . Indeed, 
it does not satisfy the preference rule stating that the age difference between a parent 
and a child should be in the range (25,35), on average. 

The following candidate model is a best model of the program and corresponds to a 
preferred repair of the questionnaire. 

A’ ’={wrongSex (2, missing) , wrongAge (2, 12) , RelationshipCl .reference) , 

Sex(l, female) , Aged, 31), MaritalStatus (1 , single) , 

Relationship(2, parent) , Sex(2,female) , Age(2,60), 

MaritalStatus (2 .widowed) } 



Remark 1. To show the feasibility of our approach, we used the executable specification 
language DLP'", supported by the DLV system. It is worthwhile noting that disjunction 
is not strictly necessary in our program, and could be replaced by unstratified negation 
(with a polynomial blow up of the program size). Weak constraints, on the contrary, are 
strictly needed to implement the semantics of preferred repairs, and cannot be rewritten 
into normal logic rules. Thus, normal logic programs cannot be used to implement our 
semantics, while DLP“' provides a natural and elegant support for the implementation. 



7 Related Work 

There are various methodologies available to statisticians for dealing with the millions 
of records that have to be cleaned IITOll . The most widely used for census data is the 
Fellegi and Holt methodology (FH ||7]). More recently, the New Imputation Methodology 
(NIM O) has been introduced as an improvement over FH. 

In both FH and NIM edit rules are written in a declarative fashion, and they are used 
to check the consistency of a household questionnaire; the consistency check is usually 
implemented with active rules in a relational database. When a questionnaire fails to 
satisfy the edit rules, the information needed for the imputation phase is borrowed from 
a similar questionnaire that passed the edit rules (which is called a donor form). NIM 
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initially searches for donors that match the failed record on as many as possible of the 
involved attribute values. It then analyses the edit rules to determine the minimum number 
of non-matching attributes between the failed record and that particular donor, such that 
the imputed record will eventually pass the edits. Various subsets of the attributes are 
imputed to determine which is the optimum imputation for a failed edit household. It 
is crucial that in the imputed record the joint distribution of attributes is maintained. 
In contrast to NIM, FH hrst determines the minimum number of attributes to impute 
and then performs the imputation, possibly by searching for donors. According to the 
experiments, changing the order of these operations allows NIM to efficiently solve 
larger and more complex imputation problems. 

Both the above methods do not have a declarative semantics. In particular, various 
implementations slightly differ in the imputation phase, making it impossible to under- 
stand what gets repaired and why. In addition, they are computationally expensive, since 
both rely inherently on donors, which have to be found in the large database of size of 
the entire census. 

Our proposal has two clear advantages over FH and derivative methods. First of 
all, it is equipped with formal declarative semantics, which unambiguously specihes 
the meaning and the behaviour of the imputation task. Surprisingly, there has been no 
previous attempt in the held to devise explicitly a formal semantics to the imputation 
task. This semantics is not in contrast with what in principle should be the behaviour 
of the FH and NIM procedures. However, we have noticed that the various algorithms 
currently used do produce different results which are hard to interpret and compare 
given the absence of a declarative semantics. We hope that our clear semantics will 
help in understanding and possibly hxing those differences. Secondly, we have clearly 
separated the consistency check phase, the abstract imputation phase, and the preference 
selection phase. While we give precise and complete dehnition for the former phases, 
we have defined the latter preference selection phase up to the choice of a mechanism 
behind the preference rules. We leave open the dehnition of them to the statisticians, 
who may choose their own preferred strategy, such as a donor strategy - with possibly 
different similarity measures, and with global or local comparisons - or a strategy based 
on statistical histories, or others. 

Our approach is highly modular. In principle, each questionnaire is processed and 
corrected alone, independently on all other census data. This modularity property allows 
for a high degree of parallelism (several questionnaires can be processed in parallel 
on different machines) and ensures a higher computational load. Indeed, even if the 
correction of a questionnaire may require an exponential time, this time is exponential 
in the size of a single questionnaire and in the number of edit rules. This is true up to the 
computation of the preference rules, which - depending on the strategy chosen by the 
statisticians - may again look at the whole set of questionnaires. The advantage of our 
proposal is to single out this latter phase and to have a principled way of relating it with 
the abstract imputation problem. We also propose a provably correct implementation 
of the abstract imputation problem in DLP™. We have implemented our approach on 
the disjunctive logic programming system DLV, and we have started an experimentation 
activity at the Italian Statistical Agency (ISTAT). The results of the experiments show 
the feasibility of this approach with realistic questionnaires (composed by the edit rules 
and the form data), if only the abstract imputation problem is taken into account, i.e., if 
the preference rules are given. 




Census Data Repair: A Challenging Application of Disjunctive Logic Programming 



577 



To our knowledge, there has been in the literature only a proposal using a logic- 
based approach to the edit and the imputation problems Q. However, this approach 
does not explicitly define a declarative semantics of the imputation problem, and most 
importantly it suffers from a combinatorial explosion of the encoding of the problem in 
propositional logic. Moreover, the main focus of Q) is on the problems of consistency 
and redundancy of edit rules. The imputation problem is solved - again in a propositional 
setting - still in an ad-hoc manner by using donors taken from correct questionnaires. 

The problem of correcting collection of data with missing or inconsistent values 
also arises in the context of integration of knowledge from multiple sources, e.g., in 
data warehouses. Some recent logical approaches to querying and repairing inconsistent 
databases have been proposed in 11181 . Such approaches are based on subset-minimal 
repairs, and it is possible to specify some preference on the possible corrections. The use 
of subset-minimal repairs is more coarse grained than our approach based on minimal 
change followed by a preference criterion. In fact, our notion of minimality is based 
on the finer grained measure of the number of changes within tuples. For example, let 
us consider two admissible repairs of a questionnaire, each one having only one tuple 
changed with respect to the original questionnaire; this is the case of the two admissible 
repairs for proposed in example El (P 2 ) and example ElCp^)- These two repairs are 
ranked equal according to a subset-minimal criterion, while our minimal change criterion 
selects only the repair(s) where the least number of attributes was changed, namely p' 2 . 
In addition, we further allow general preference rules among the set of minimal repairs, 
expressed in a declarative way, with the goal of producing a single preferred repair. 

We believe that our minimal change criterion could be applied as a basic selection 
criterion also for the problems in ms), since it leads to more sensible choices. Moreover, 
even if it is hard to precisely compare the complexity of the approaches pursued by II 11811 
with ours - since the problems are different (computation of a consistent answer in all 
minimal repairs versus the computation of the minimal repairs) - a general complexity 
argument applies as follows. First note that the imputation problem is a search problem, 
and that we refer here to the complexity of the problem to decide whether a value of a 
tuple gets a certain value in some minimal repair of the questionnaire. In this context, 
choices among different solutions based on weights or cardinalities of the solutions are 
typically feasible in a more efficient way, compared with choices based on the subset- 
minimality criterion. More specifically, in our case, the adoption of a general subset- 
minimal criterion would raise the complexity from (our upper bound, given by the 
fragment we use of DLP”’ with a limited - head-cycle-free - disjunction |3]) to . 

8 Conclusions 

In this paper we have formally defined the semantics of the edit and imputation problems 
for census data, and we have provided a correct encoding in disjunctive logic program- 
ming with constraints. We believe that our framework is quite general and can be applied 
to contexts other than census data repair. 

We have implemented our approach on the disjunctive logic programming system 
DLV, and we have started an experimentation activity at the Italian Statistical Agency 
(ISTAT). Preliminary results of experiments show the feasibility of this approach with 
realistic data. 
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We plan to have an extensive experimentation with real census data provided by 
the Italian Statistical Agency - including their donor-based strategy for computing the 
preference rules - and to compare the outcome of our approach with the well established 
imputation methodologies based on statistics. We also want to devise a methodology for 
edit and preference rule design, and to precisely characterise the computational properties 
of the abstract imputation problem. 
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Abstract. Several logic-based languages, such as Prolog II and its suc- 
cessors, SICStus Prolog and Oz, offer a computation domain including 
rational trees that allow for increased expressivity and faster unification. 
Unfortunately, the use of infinite rational trees has problems. For in- 
stance, many of the built-in and library predicates are ill-defined for such 
trees and need to be supplemented by run-time checks whose cost may be 
significant. In a recent paper [3], we have proposed a data-flow analysis 
called finite-tree analysis aimed at identifying those program variables 
(the finite variables) that are not currently bound to infinite terms. Here 
we present a domain of Boolean functions, called finite-tree dependencies 
that precisely captures how the finiteness of some variables influences the 
finiteness of other variables. We also summarize our experimental results 
showing how finite-tree analysis, enhanced with finite-tree dependencies 
is a practical means of obtaining precise finiteness information. 



1 Introduction 

Many logic-based languages refer to a computation domain of rational trees. 
While rational trees allow for increased expressivity, they also have a surprising 
number of problems. (See jl] for a survey of known applications of rational trees 
and a detailed account of many of the problems caused by their use.) Some of 
these problems are so serious that rational trees must be used in a very controlled 
way, disallowing infinite trees in any context where they are “dangerous” . This, 
in turn, causes a secondary problem: in order to disallow infinite trees in selected 
contexts, one must first detect them, an operation that may be expensive. 

In [4j, we have introduced a composite abstract domain, H x P, for finite- 
tree analysis. The H domain, written with the initial of Herhrand and called the 
finiteness component, is the direct representation of the property of interest: a set 
of variables guaranteed to be bound to finite terms. The generic domain P (the 
parameter of the construction) provides sharing information that can include, 
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grant M05645 partly supported the work of the second and fourth authors. 
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apart from variable aliasing, groundness, linearity, freeness and any other kind 
of information that can improve the precision on these components, such as 
explicit structural information. Sharing information is exploited in H x P for 
two purposes: detecting when new infinite terms are possibly created (this is 
done along the lines of m) and confining the propagation of those terms as 
much as possible. As shown in |3|4| . by giving a generic specification for this 
parameter component in terms of the abstract queries it supports (in the style 
of the open product construct P2|), it is possible to define and establish the 
correctness of the abstract operators on the finite-tree domain independently 
from any particular domain for sharing analysis. 

The domain HxP captures the negative aspect of term- finiteness, that is, the 
circumstances under which finiteness can be lost. However, term- finiteness has 
also a positive aspect: there are cases where a variable is granted to be bound to a 
finite term and this knowledge can be propagated to other variables. Guarantees 
of finiteness are provided by several built-ins like unify_with_occurs_check/2, 
var/1, name/2, all the arithmetic predicates, besides those explicitly provided to 
test for term-finiteness such as the acyclic_term/ 1 predicate of SICStus Prolog. 
The information encoded by PI is attribute independent | 14| . which means that 
each variable is considered in isolation. What is missing is information concerning 
how finiteness of one variable affects the finiteness of other variables. This kind 
of information, usually called relational information, is not captured at all by P[ 
and is only partially captured by the composite domain H x P oi\^. 

Here we present a domain of Boolean functions that precisely captures how 
the finiteness of some variables influences the finiteness of other variables. This 
domain of finite-tree dependencies provides relational information that is impor- 
tant for the precision of the overall finite-tree analysis. It also combines obvious 
similarities, interesting differences and somewhat unexpected connections with 
classical domains for groundness dependencies. 

Finite-tree and groundness dependencies are similar in that they both track 
covering information (a term s covers t if all the variables in t also occur in s) and 
share several abstract operations. However, they are different because covering 
does not tell the whole story. Suppose x and y are free variables before either 
the unification x = f{y) or the unification x = f{x, y) are executed. In both 
cases, X will be ground if and only if y will be so. However, when x = f{y) 
is the performed unification, this equivalence will also carry over to finiteness. 
In contrast, when the unification is a; = f{x,y), x will never be finite and will 
be totally independent, as far as finiteness is concerned, from y. Among the 
unexpected connections is the fact that finite-tree dependencies can improve the 
groundness information obtained by the usual approaches to groundness analysis. 

The paper is structured as follows: the required notations and preliminary 
concepts are given in Section [21 the concrete domain for the analysis is presented 
in Section |21 Section jH introduces the use of Boolean functions for tracking 
finite-tree dependencies, whereas Section 0 illustrates the interaction between 
groundness and finite-tree dependencies. Our experimental results are presented 
in Section O The paper concludes in Section [71 
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2 Preliminaries 

2.1 Infinite Terms and Substitntions 

For a set S, p(S) is the powerset of S, p{(S) is the set of all the finite subsets of 
S, whereas # S denotes the cardinality of S. Let Sig denote a possibly infinite 
set of function symbols, ranked over the set of natural numbers and Vars a 
denumerable set of variable symbols, disjoint from Sig. Then Terms denotes the 
free algebra of all (possibly infinite) terms in the signature Sig having variables 
in Vars. It is assumed that Sig contains at least two distinct function symbols, 
one having rank 0 and one with rank greater than 0 (so that there exist finite 
and infinite terms both with and without variables). If t G Terms then vars(t) 
denotes the set of variables occurring in t. If vars(t) = 0 then t is said to be 
ground; t is a finite term (or Herhrand term) if it contains a finite number of 
occurrences of function symbols. The sets of all ground and finite terms are 
denoted by GTerms and HTerms, respectively. 

A substitution is a total function a: Vars — >■ HTerms that is the iden- 
tity almost everywhere; in other words, the domain of a, which is defined as 
dom(cr) { cc S Vars | a{x) x}, is a finite set of variables. If x € Vars 
and t G HTerms \ {a;}, then x t is called a binding. The set of all bind- 
ings is denoted by Bind. Substitutions are conveniently denoted by the set of 
their bindings. Accordingly, a substitution a is identified with the (finite) set 
{ a: !->■ cr(a;) | x G dom(cr) }. We denote by vars(cr) the set of all variables 
occurring in the bindings of a. 

A substitution of the form {x\ i— >■ X 2 , . . . ,Xn-i t Xn,Xn t Xi} is circular 
if and only if n > 1 and X\, . . . , Xn are distinct variables. A substitution is in 
rational solved form if it has no circular subset. The set of all substitutions in 
rational solved form is denoted by RSubst. 

Given a substitution a: Vars — >■ HTerms, the symbol ‘a’ also denotes the 
function a: HTerms — >■ HTerms defined as usual. That is, for each t G HTerms, 
a(t) is the term obtained by replacing each occurrence of each variable x in t by 
the term a{x). If t G HTerms, we write ta to denote cr(t). Let s G HTerms and 

(T G RSubst. Then cr°(s) s and cr®(s) (t(ct*“^(s)) for alH G N, * > 0. Thus 
the sequence of finite terms cr°(s), cr^(s), . . . converges to a (possibly infinite) 
term, denoted by a-(s) 

2.2 Equations 

An equation has the form s = t where s,t G HTerms. Eqs denotes the set of all 
equations. A substitution a may be regarded as a finite set of equations, that is, 
as the set {x = t\ xi-^tGa}. We say that a set of equations e is in rational 
solved form ifjsi— >-<| (s = t)Ge}G RSubst. In the rest of the paper, we will 
often write a substitution a G RSubst to denote a set of equations in rational 
solved form (and vice versa). 

Some logic-based languages, such as Prolog II, SICStus and Oz, are based 
on 72.T, the theory of rational trees [Hiin]. This is a syntactic equality theory 
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(i.e., a theory where the function symbols are uninterpreted), augmented with a 
uniqueness axiom for each substitution in rational solved form. It is worth noting 
that any set of equations in rational solved form is, by definition, satisfiable in 

nr. 

Given a set of equations e S pi(Eqs) that is satisfiable in nT, a substitution 
a € RSubst is called a solution for e in nT if nT b V((t — >■ e), i.e., if every 
model of the theory nT is also a model of the first order formula V((t — >■ e). If 
in addition vars((r) C vars(e), then a is said to be a relevant solution for e. If 
nr b V((T o e), then cr is a most general solution for e in nr. The set of all 
the relevant most general solution for e in nr will be denoted by mgs(e). 

The function ),(•): RSubst — >■ p{RSubst) is defined, for each a G RSubst, by 
|(T I r £ RSubst I 3cr' G RSubst . r G mgs(cr U cr') }. The next result shows 
that 4,(-) corresponds to the closure by entailment in 72.T. 

Proposition 1. Let a G RSubst. Then fa = { t G RSubst | 72.T b V(r — >■ ct) }. 



2.3 Boolean Functions 



Boolean functions have already been extensively used for data-flow analysis of 
logic-based languages. An important class of these functions used for tracking 
groundness dependencies is Pos [l]. This domain was introduced in [19j under 
the name Prop and further refined and studied in [IIEo]. 

Boolean functions are based on the notion of Boolean valuation. 

Definition 2. (Boolean valuations. ) Let VI G pf{Vars) andM {0, 1}. The 
, (d.0f 

set of Boolean valuations over VI is Bval = VT— ^ B. For each a G Bval, each 
X G VI, and each c G B the valuation a[c/x] G Bval is given, for each y G VI, by 



a[c/x]{y) = 




if x = y; 
otherwise. 



If X = {xi, . . . ,Xk} Q VI, thena[c/X] denotes a[c/xi\- ■ -[c/xk]. 

d©f dcf 

Bval contains the distinguished elements 0 = Aa; G VI. 0 and 1 = Acc G VI. 1. 
Definition 3. (Boolean functions.) The set of Boolean functions over VI is 
Bfun Bval — >■ B. Bfun is partially ordered by the relation ^ where, for each 

(/), V' G Bfun, 

4> \= Ip (Va G Bval : <p{a) = 1 => V'(o) = l)- 



The distinguished elements T, T G Bfun are defined by T = Aa G Bval . 0 and 
d©f 

T = Ao G Bval. 1. respectively. For each (p G Bfun, x G VI, and c G B, the 
function (p\c/x\ G Bfun is given, for each a G Bval, by i^[c/a;](a) (p(^a [c/x]). 

When X C VI, cp[c/X] is defined in the expected way. If ^ G Bfun and x,y G VI 

the function 4>[y/x] G Bfun is given by (p[y/x]{a) (p(^a[a{y) /x]) , for each 
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a € Bval. Boolean functions are constructed from the elementary functions 
corresponding to variables and by means of the usual logical connectives. Thus 
X denotes the Boolean function cj) such that, for each a G Bval, 4>{a) = 1 if and 
only if a{x) = 1. For G Bfun, we write (pi A (j )2 to denote the function 

(j) such that, for each a G Bval, <p{a) = 1 if and only if both (pi{a) = 1 and 
p 2 {ci) = 1. A variable is restricted away using Schroder’s elimination principle 
El: 3x . (p Pll/x] V p[Q/x\. Note that existential quantification is both 
monotonic and extensive on Bfun. The other Boolean connectives and quantifiers 
are handled similarly. 

Pos C Bfun consists precisely of those functions assuming the true value 
under the everything-is-true assignment, i.e., Pos { </> S Bfun | <p{l) = 1 }• 
For each (p G Bfun, the positive part of p, denoted pos(^), is the strongest Pos 

def 

formula that is entailed by p. Formally, pos(^) = p\/ f\ VI. 

For each p G Bfun, the set of variables necessarily true for p and the set of 
variables necessarily false for p are given, respectively, by 

true((?!)) {x G Vl\\/a G Bval : p{a) = 1 => a{x) = 1 }, 

false((/>) { X G F/ I Va G Bval : p{a) = 1 => a(x) = 0 }. 



3 The Concrete Domain 



A knowledge of the basic concepts of abstract interpretation theory [TMB] is 
assumed. In this paper, the concrete domain consists of pairs of the form (A, V), 
where F is a finite set of variables of interest and A is a (possibly infinite) set 
of substitutions in rational solved form. 

Definition 4. (The concrete domain. ) Let p{RSubst) x pf(Fars). 

If (S,V) G T>^ , then (A, F) represents the (possibly infinite) set of first-order 
formulas { BA . a \ a G S, A = vars(cr) \ F } where a is interpreted as the 
logical conjunction of the equations corresponding to its bindings. The operation 
of projecting x G Vars away from (A, F) G T’*' is defined as follows: 



3x . (A,F) = 



a' G RSubst 



a G S,V = Vars \ V, 

7^r F V(3F . (ct' ga Bx . a)) 



The concrete element {{{x i-A- f {y)}} , {x , y}) expresses a dependency be- 
tween X and y. In contrast, ({{x i— > f{y)}}A x}) only constrains x. The same 
concept can be expressed by saying that the variable name matters in the 
first case but not in the second. Thus the set of variables of interest is crucial 
for defining the meaning of the concrete and abstract descriptions. Despite this, 
always specifying the set of variables of interest would significantly clutter the 
presentation. Moreover, most of the needed functions on concrete and abstract 
descriptions preserve the set of variables of interest. For these reasons, we as- 
sume there exists a set VI G pf ( Fars) containing, at each stage of the analysis, 
the current variables of interest. As a consequence, when the context makes it 
clear, we will write A G T’*’ as a shorthand for (A, VI) G T>^. 
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3.1 Operators on Substitutions in Rational Solved Form 

There are cases when an analysis tries to capture properties of the particular 
substitutions computed by a specific rational unification algorithm. This is the 
case, for example, when the analysis needs to track structure sharing for the pur- 
pose of compile-time garbage collection, or provide upper bounds to the amount 
of memory needed to perform a given computation. More often the interest is 
on properties of the rational trees themselves. In these cases it is possible to 
define abstraction and concretization functions that are independent from the 
finite representations actually considered. Moreover, it is important that these 
functions precisely capture the properties under investigation so as to avoid any 
unnecessary precision loss. 

Pursuing this goal requires the ability to observe properties of (infinite) ra- 
tional trees while just dealing with one of their finite representations. This is not 
always an easy task since even simple properties can be “hidden” when using 
non-idempotent substitutions. For instance, when cr°°(x) £ GTerms \ HTerms 
is an infinite and ground rational tree, all of its finite representations in RSubst 
will map the variable x into a finite term that is not ground. 

These are the motivations behind the introduction of two computable opera- 
tors on substitutions that will be used later to define the concretization functions 
for the considered abstract domains. First, the groundness operator ‘gvars’ cap- 
tures the set of variables that are mapped to ground rational trees by ‘cr°°’. We 
define it by means of the occurrence operator ‘occ’ introduced in |16| . 

Definition 5. (Occurrence and groundness operators.) For each n £ N, 
the occurrence function occ„ : RSubst x Vars — )> pi{Vars) is defined, for each 
a £ RSubst and each v £ Vars, by 



, , def I \ dom(cr), if n = 0; 

OCC„((T, u) = S r I 

I 1 2 / £ Pars I vars(j/cr) n occ„_i((J, ?;) 0 |, ifn>0. 

The occurrence operator occ : RSubst x Vars — >■ pf ( Vars) is given, for each sub- 
stitution a £ RSubst and v £ Vars, by occ{a,v) 0CCi{a,v), where l = 

The groundness operator gvars: RSubst — >■ pt{Vars) is given, for each sub- 
stitution a £ RSubst, by 

gvars(cr) { y £ dom(cr) | Vv £ vars(cr) : y ^ occ(cr,v) }. 

The finiteness operator ‘hvars’, introduced in [1|, captures the set of variables 
that ‘cr°“’ maps to finite terms. 

Definition 6. (Finiteness operator.) For each n £ N, the finiteness function 
hvarSn : RSubst — >■ p( Vars) is defined, for each a £ RSubst, by 



hvars„((T) 



def 



Vars \ dom(cr), 

hvars„_i(cr) U { y £ dom((r) | vars(ycr) C hvars„_i((r) }, 



ifn = 0; 
if n > 0. 



Boolean Functions for Finite- Tree Dependencies 



585 



The finiteness operator hvars : RSuhst — >■ p( Vars) is given, for each substitution 
a G RSubst, by hvars(cr) hvarsf (cr), where l'^= ff a. 

Example 1. Let 

cr = {x f{y,z),yi-^ g{z,x),z^ f{a)}, 
r = {■y g{z,w),xi-^ f{y),y^ g{w),z^ /(f)}, 

where vars(cr) U vars(r) = {y, w, x, y, z}. Then gvars(cr) fl vars(cr) = {x, y, z} and 
hvars(r) rivars(T) = {w,x,y}. 

The following proposition states how ‘gvars’ and ‘hvars’ behave with respect 
to the further instantiation of variables. 

Proposition 8. Let a,r G RSubst, where t G fa. Then 

hvars(cr) D hvars(r), dHt^) 

gvars(cr) n hvars(a) C gvars(r) fl hvars(r). ([Hb) 



4 Finite- Tree Dependencies 

Any finite-tree domain must keep track of those variables that are definitely 
bound to finite terms, since this is the final information delivered by the analysis. 
In jlj we have introduced the composite abstract domain H x P, where the set 
of such variables is explicitly represented in the finiteness component H . 

Definition 9. (The finiteness component H.) The set H " p(V7), par- 
tially ordered by reverse subset inclusion, is called finiteness component. The 
concretization function '■ H — >■ p{RSubsf) is given, for each h G H, by 

lH{h) { cr G RSubst I hvars(cr) D h }. 

As proven in [3], equivalent substitutions in rational solved form have the 
same finiteness abstraction. 

Proposition 10. Let a,r G RSubst, where a G jH{h) and TZT b V(cr O r). 
Then t G 7 //(h). 

The precision of the finite-tree analysis of [1] is highly dependent on the preci- 
sion of the generic component P. As explained before, the information provided 
by P on groundness, freeness, linearity, and sharing of variables is exploited, in 
the combination H x P, to circumscribe as much as possible the creation and 
propagation of cyclic terms. However, finite-tree analysis can also benefit from 
other kinds of relational information. In particular, we now show how finite-tree 
dependencies allow to obtain a positive propagation of finiteness information. 

Let us consider the finite terms t\ = f{x), t 2 = g{y), and t^ = h{x,y): 
it is clear that, for each assignment of rational terms to x and y, t^ is finite 
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if and only if t\ and t 2 are so. We can capture this by the Boolean formula 
^3 (^1 A t 2 )- The important point to notice is that this dependency will 

keep holding for any further simultaneous instantiation of t\, t 2 , and In other 
words, such dependencies are preserved by forward computations (which proceed 
by consistently instantiating program variables). 

Consider x t € Bind where t € HTerms and vars(t) = {yi , . . . , ?/„}. After 
this binding has been successfully applied, the destinies of x and t concerning 
term-finiteness are tied together: forever. This tie can be described by the de- 
pendency formula 



meaning that x will be bound to a finite term if and only if yi is bound to a 
finite term, for each i = 1, . . . , n. While the dependency expressed by © is 
a correct description of any computation state following the application of the 
binding a: i— >■ t, it is not as precise as it could be. Suppose that x and y^ are 
indeed the same variable. Then © is logically equivalent to 



Correct: whenever x is bound to a finite term, all the other variables will be 
bound to finite terms. The point is that x has just been bound to a non-finite 
term, irrevocably: no forward computation can change this. Thus, the implication 
m holds vacuously. A more precise and correct description for the state of affairs 
caused by the cyclic binding is, instead, the negated atom -ix, whose intuitive 
reading is “x is not (and never will be) finite.” 

We are building an abstract domain for finite-tree dependencies where we 
are making the deliberate choice of including only information that cannot be 
withdrawn by forward computations. The reason for this choice is that we want 
the concrete constraint accumulation process to be paralleled, at the abstract 
level, by another constraint accumulation process: logical conjunction of Boolean 
formulas. For this reason, it is important to distinguish between permanent and 
eontingent information. Permanent information, once established for a program 
point p, maintains its validity in all points that follow p in any forward compu- 
tation. Contingent information, instead, does not carry its validity beyond the 
point where it is established. An example of contingent information is given by 
the h component oi H x P: having x G h in the description of some program 
point means that x is definitely bound to a finite term at that point; nothing is 
claimed about the finiteness of x at later program points and, in fact, unless x is 
ground, x can still be bound to a non-finite term. However, if at some program 
point X is finite and ground, then x will remain finite. In this case we will ensure 
our Boolean dependency formula entails the positive atom x. 

At this stage, we already know something about the abstract domain we are 
designing. In particular, we have positive and negated atoms, the requirement of 
describing program predicates of any arity implies that arbitrary conjunctions of 
these atomic formulas must be allowed and, finally, it is not difficult to observe 
that the merge-over-all-paths operations m will be logical disjunction, so that 



X O (pi A • • • A yn), 



( 2 ) 



X ^ {yi A ■ ■ ■ A yu-i A yk+i A • • • A y„). 



(3) 



Boolean Functions for Finite- Tree Dependencies 



587 



the domain will have to be closed under this operation. This means that the 
carrier of our domain must be able to express any Boolean function: Bfun is the 
carrier. 



Definition 11. Bfun — > p{RSubst).) The function hval: RSubst — > Bval 
is defined, for each a € RSubst and each x € VI, by 

hval(cr)(a;) = 1 x G hvars(cr). 



The concretization function jp : Bfun — )> p(RSubst) is defined, for </> G Bfun, by 

')p{4>) { cr G RSubst I Vr G 4,(7 : (4i(hval(T)) = 1 }■ 

The following theorem shows how most of the operators needed to compute 
the concrete semantics of a logic program can be correctly approximated on the 
abstract domain Bfun. 

Theorem 12. Let S,Si,E 2 G p{RSubst) and G Bfun be such that 

2 2 ^ 1 ; 1f{4‘2) 44 ^ 2 - Let also (a; i— >■ t) G Bind, where 



{a;} U vars(t) C VI. Then the following hold: 

'yp(^x O /y vars(t)^ D {{a: >->■ t}}; 

'yp{-'x) 44 {{a: i-T t}}, if x G vars(t); ([I2t>) 

7 F(a:) D { cr G RSubst | x G gvars(cr) fl hvars(cr) }; (fT^ l 

7f(0i a (/)2) 44 { mgs(cTi U (T 2 ) I cTi G A, <12 G ^2 }; ((I2i) 

7f((/>i V ^ 2 ) 44 ^1 U LJ 2 ; 

'ypfBx . (p) f)3x . E. (|12f l 



Cases (H2E1), 1120, and (IT2IH of Theorem [12] ensure that the following definition 
of amgu^ provides a correct approximation on Bfun of the concrete unification 
of rational trees. 



Definition 13. The function amgu^ : Bfun x Bind — >■ Bfun captures the effects 
of a binding on a finite-tree dependency formula. Let (f> G Bfun and (a; 1 — >■ t) G 
Bind be such that {x} U vars(t) C V7. Then 



a,mgnp{4>, x t) 



def 



(p /\ {x -n- /\vars(t)), 
p A -<x, 



if X ^ vars(t); 
otherwise. 



Other semantic operators, such as the consistent renaming of variables, are very 
simple and, as usual, their approximation does not pose any problem. 

The next result shows how finite-tree dependencies may improve the finite- 
ness information encoded in the h component of the domain H x P. 

Theorem 14. Let h G H and p G Bfun. Let also h' true( </> A f\hj . Then 



lH{h) n "fpip) = inih') n 7f(</')- 



588 R. Bagnara et al. 



Example 15. Consider the following program, where it is assumed that the only 
“external” query is ‘?- r(X, Y)’: 

p(X, Y) X = f (Y, _) . 

q(X, Y) X = f (_, Y) . 

r(X, Y) p(X, Y) , q(X, Y) , acyclic_term(X) . 

Then the predicate p/2 in the clause defining r/2 will called with X and Y both 
unbound. Computing on the abstract domain H x P gives us the finiteness 
description hp = {x,y}, expressing the fact that both X and Y are bound to 
finite terms. Computing on the finite-tree dependencies domain Bfun, gives us 
the Boolean formula 4>p = x ^ y {Y is finite if X is so). 

Considering now the call to the predicate q/2, we note that, since variable 
X is already bound to a non-variable term sharing with Y, all the finiteness 
information encoded by H will be lost (i.e., hq = 0). So, both X and Y are 
detected as possibly cyclic. However, the finite-tree dependency information is 
preserved, because (f>q = {x ^ y) A {x ^ y) = x ^ y. 

Finally, consider the effect of the abstract evaluation of acyclic_term(X) . 
On the H X P domain we can only infer that variable X cannot be bound to an 
infinite term, while Y will be still considered as possibly cyclic, so that hr = {x}. 
On the domain Bfun we can just confirm that the finite-tree dependency com- 
puted so far still holds, so that cfr = x ^ y (no stronger finite-tree dependency 
can be inferred, since the finiteness of X is only contingent). Thus, by applying 
the result of Theorem [TTl we can recover the finiteness of Y: 

h'r = true^^r A ^ hr'^ = true((a; -A y) Ax) = {x, y}. 

Information encoded in H x P and Bfun is not completely orthogonal and 
the following result provides a kind of consistency check. 

Theorem 16. Let h € H and <j) S Bfun. Then 

lH{h) n yf(4') ^ 0 ^ n false((/)) = 0. 

Note however that, provided the abstract operators are correct, the computed 
descriptions will always be mutually consistent, unless (j) = E. 

5 Groundness Dependencies 

Since information about the groundness of variables is crucial for many applica- 
tions, it is natural to consider a static analysis domain including both a finite-tree 
and a groundness component. In fact, any reasonably precise implementation of 
the parameter component P of the abstract domain specified in jj] will include 
some kind of groundness information. We highlight similarities, differences and 
connections relating the domain Bfun for finite-tree dependencies to the abstract 
domain Pos for groundness dependencies. Note that these results also hold when 
considering a combination of Bfun with the groundness domain Def [T] . 
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Definition 17. (tg : Pos — >■ p{RSubst).) The function gval: RSubst ^ Bval is 
defined as follows, for each a € RSubst and each x € VI: 

gval(a)(x) = 1 X € gvars(cr). 

The concretization function jg- Pos — >■ p{RSubst) is defined, for each ip € Pos, 
7g(V’) { O' S RSubst I Vt G |cr : '0(gval(r)) = 1 }• 



Definition 18. The function amgug : Pos x Bind — >■ Pos captures the effects of 
a binding on a groundness dependency formula. Let if G Pos and (x t) € Bind 
be such that {x} U vars(t) C VI. Then 



amgU(3('0, X ^ t) 



if t\ /y(vars(t) \ {a;})^ 



Note that this is a simple variant of the standard abstract unification operator 
for groundness analysis over finite-tree domains: the only difference concerns the 
case of cyclic bindings [2] . 

The next result shows how, by exploiting the finiteness component H , the 
finite-tree dependencies {Bfun) component and the groundness dependencies 
(Pos) component can improve each other. 

Theorem 19. Let h G H , (f> £ Bfun and ip G Pos. Let also (p' G Bfun and 
Ip' G Pos be defined as (p' = 3VI\ h . ip and ip' = 3VI\h . pos{(p). Then 

inih) n Id icifi’) = lH{h) n n 7 g(^/’ a Ip'); (HlJt) 

"fnih) n 7 _f((^) n 7 g(^/’) = iH{h) n a 4>') n 7 g(V')- CSb) 



Moreover, even without any knowledge of the H component, combining Theo- 
rem ITTland Eq. the groundness dependencies component can be improved. 



Corollary 20. Let (p G Bfun and ip G Pos. Then 

1f{(P) V^lci'tp) = 1 f{(P) n 7 c(V' Atrue(^)). 

The following example shows that, when computing on rational trees, finite- 
tree dependencies may provide groundness information that is not captured by 
the usual approaches. 



Example 21. Consider the program: 

p(a, Y) . 
p(X, a) . 

q(X, Y) :- p(X, Y) , X = f (X, Z) . 
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The abstract semantics of p/2, for both finite-tree and groundness dependencies, 
is 4>p = ipp = xVy. The finite-tree dependency for q/2 is 4>q = {x\/y)/\->x = ~<xAy. 
Using Definition [THl the groundness dependency for q/2 is 



Since better groundness information, besides being useful in itself, may also 
improve the precision of many other analyses such as sharing m, the reduction 
steps given by Theorem [12] and Corollary HOI can trigger improvements to the 
precision of other components. Theorem HHI can also be exploited to recover 
precision after the application of a widening operator on either the groundness 
dependencies or the finite-tree dependencies component. 

6 Experimental Results 

The work described here and in |4] has been experimentally evaluated in the 
framework provided by the China analyzer |2]. We implemented and compared 
the three domains Pattern(P), Pattern(i/ x P) and Pattern(5/?m x H x 
where the parameter component P has been instantiated to the domain Pos x 
SFL |7] for tracking groundness, freeness, linearity and (non-redundant) set- 
sharing information. The Pattern(-) operator |5| further upgrades the precision 
of its argument by adding explicit structural information. 

Concerning the Bfun component, the implementation was straightforward, 
since all the techniques described in |S] (and almost all the code, including the 
widenings) has been reused unchanged, obtaining comparable efficiency. As a 
consequence, most of the implementation effort was in the coding of the ab- 
stract operators on the H component and of the reduction processes between 
the different components. A key choice, in this sense, is ‘when’ the reduction 
steps given in Theorems fT^ and II 9 1 should be applied. When striving for maxi- 
mum precision, a trivial strategy is to immediately perform reductions after any 
application of any abstract operator. For instance, this is how predicates like 
acyclic_term/l should be handled: after adding the variables of the argument 
to the H component, the reduction process is applied to propagate the new in- 
formation to all domain components. However, such an approach turns out to be 
unnecessarily inefficient. In fact, the next result shows that Theorems ligand (TOl 
cannot lead to a precision improvement if applied just after the abstract eval- 
uation of the merge-over-all-paths or the existential quantification operations 
(provided the initial descriptions are already reduced). 

For ease of notation, the domain names are shortened to P, H and Bfun, respectively. 



tpq = 3z . ((x V y) A (a: O z)) = xM y. 



This can be improved, using Corollary [22] to 
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Table 1. The precision on finite variables when using P, H and Bfun. 



Prec. improvement 


P ->■ H 


H Bfun 


i > 20 


185 


4 


10 < i < 20 


31 


3 


5 < i < 10 


11 


6 


2 < i < 5 


4 


10 


0 < i < 2 


2 


24 


no improvement 


15 


201 



Prec. class 


P 


H 


Bfun 


p= 100 


2 


84 


86 


80 < p < 100 


1 


31 


36 


60 < p < 80 


7 


26 


23 


40 < p < 60 


6 


41 


40 


20 < p < 40 


47 


47 


46 


0 < p < 20 


185 


19 


17 



Theorem 22. Let x £ VI, h,h' £ H (j), 4>' £ Bfun and ip, ip' £ Pos. Let 



n h' , 

/i 2 U {a;}, 


<Pi = <PVcP', 
f>2 =' . cP, 


f’l ipVip’, 

ip 2 3a; . Ip. 


Let also 






h D true((/A f\h), 


<P^{3VI\h.iP), 


ip\= {3VI\h . pos{(p)), 


h' D true((p' A y/y /i'), 


^{3 VI\h' .iP'), 


Ip' h {3VI\h' .pos{(p')). 


Then, for i = 1, 2, 






hi D true((/i f\ !\hi), 


(pi 1= (3VI\ hi . ipi), 


Ipi 1= (3F/\ hi . pos((?i0). 


We conjecture that Theorem!^ can be strengthened: the reduction process af- 
fecting the Bfun component, corresoonding to Eq. (ll9bD of Theorem fTOl seems 
to be useless also after the application of an abstract unification. In any case, 
this reduction process can be usefully exploited to recover precision after the 
application of a widening operator on the Bfun component. 



A goal-dependent analysis was run for all the programs in our benchmark 
suite and the results (with respect to the precision) are summarized in Table [T] 
Here, the precision is measured as the percentage of the total number of variables 
that the analyser can show to be Herbrand. Two alternative views are provided. 

In the first view, each column is labeled by an analysis domain and each row 
is labeled by a precision interval. For instance, the value ‘31’ at the intersection 
of column ‘H’ and row ‘80 < p < 100’ is to be read as “/or 31 benchmarks, the 
percentage p of the total number of variables that the analyser can show to be 
Herbrand using the domain H is between 80% and 100%.'" 

The second view provides a better picture of the precision improvements 
obtained when moving from P to H (in the column ‘P — >■ H’) and from H to 
Bfun (in the column ‘H — >■ Bfun’). For instance, the value ‘10’ at the intersection 
of column ‘H — > Bfun’ and row ‘2 < i < 5’ is to be read as ‘‘‘‘when moving from 
H to Bfun, for 10 benchmarks the improvement i in the percentage of the total 
number of variables shown to be Herbrand was between 2% and 5%." 
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It can be seen from Table [T]that, even though the H domain is remarkably 
precise, the inclusion of the Bfun component allows for a further, and sometimes 
significant, precision improvement for a number of benchmarks. It is worth not- 
ing that the current implementation of China does not yet fully exploit the 
finite-tree dependencies arising when evaluating many of the built-in predicates, 
therefore incurring an avoidable precision loss. We are working on this issue and 
we expect that the specialised implementation of the abstract evaluation of some 
built-ins will result in more and better precision improvements. The experimen- 
tation has also shown that, in practice, the Bfun domain does not improve the 
groundness information. 

7 Conclusion 

Several modern logic-based languages offer a computation domain based on ra- 
tional trees. On the one hand, the use of such trees is encouraged by the pos- 
sibility of using efficient and correct unification algorithms and by an increase 
in expressivity. On the other hand, these gains are countered by the extra prob- 
lems rational trees bring with themselves As a consequence, those applications 
that exploit rational trees tend to do so in a very controlled way, that is, most 
program variables can only be bound to finite terms. By detecting the program 
variables that may be bound to infinite terms with a good degree of accuracy, 
we can significantly reduce the disadvantages of using rational trees. 

In [4], an initial solution to the problem was proposed where the composite 
abstract domain H x P allows to track the creation and propagation of infi- 
nite terms. Even though this information is crucial to any finite-tree analysis, 
propagating the guarantees of finiteness that come from several built-ins (includ- 
ing those that are explicitly provided to test term- finiteness) is also important. 
Therefore, in this paper we have introduced a domain of Boolean functions Bfun 
for finite-tree dependencies which, when coupled to the domain H x P, can en- 
hance its expressive power. Since Bfun has many similarities with the domain 
Pos used for groundness analysis, we have investigated how these two domains 
relate to each other and, in particular, the synergy arising from their combination 
in the “global” domain of analysis. 
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Abstract. In this paper we push forward the idea of applying the ab- 
stract interpretation concepts to the problem of verification of programs. 

We consider the theory of abstract verihcation as proposed in and we 
show how it is possible to transform static analyzers with some suitable 
properties to obtain automatic verification tools based on sufficient veri- 
fication conditions. We prove that the approach is general and flexible by 
showing three different verification tools based on different domains of 
types for functional, logic and CLP programming. The verifier for func- 
tional programs is obtained from a static analyzer which implements one 
of the polymorphic type domains introduced by Cousot |H] . The one for 
logic programs is obtained from a static analyzer on a type domain de- 
signed by Codish and Lagoon [3], while the verifier for CLP programs is 
obtained from the type analyzer described in m- 

1 Abstract Interpretation and Verification 

Abstract interpretation | 9I10| is a general theory for approximating the semantics 
of discrete dynamic systems, originally developed by Patrick and Radhia Gousot, 
in the late 70’s, as a unifying framework for specifying and validating static 
program analyses. The abstract semantics is an approximation of the concrete 
one, where exact (concrete) properties are replaced by approximated properties, 
modeled by an abstract domain. The framework of abstract interpretation can 
be useful to study hierarchies of semantics and to reconstruct data-flow analysis 
methods. It can be used to prove the safety of an analysis algorithm. However, 
it can also be used to systematically derive “optimal” abstract semantics from 
the abstract domain. 

From the very beginning, abstract interpretation was shown to be useful for 
the automatic generation of program invariants. More recently mm , it was 
shown to be very useful to understand, organize and synthesize proof methods 
for program verification. In particular, we are interested in one specific approach 
to the generation of abstract interpretation-based partial correctness conditions 
mm. which is used also in abstract debugging mm- 

The aim of verification is to define conditions which allow us to formally prove 
that a program behaves as expected, i.e., that the program is correct w.r.t. a 
given specification, a description of the program’s expected behavior. In order 
to formally prove that a program behaves as expected, we can use a semantic 
approach based on abstract interpretation techniques. This approach allows us 
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to derive in a uniform way sufficient conditions for proving partial correctness 
w.r.t. different properties. 

Assume we have a semantic evaluation function Tp on a concrete domain 
(C, G), whose least fixpoint Ifpc(Tp) is the semantics of the program P. The 
ideas behind this approach are the following. 

— As in standard abstract interpretation based program analysis, the class of 
properties we want to verify is formalized as an abstract domain (A,<), 
related to (C, G) by the usual Galois connection a : C — ?> A and 7 : A — )> 
C (abstraction and concretization functions). The corresponding abstract 
semantic evaluation function Tp is systematically derived from Tp, a and 
7. The resulting abstract semantics lip ^(Tp) is a correct approximation of 
the concrete semantics by construction, i.e., a(lfpc(Tp)) < lfpj^{Tp), and no 
additional “correctness” theorems need to be proved. 

— An element Sa of the domain (A, <) is the specification, i.e., the abstraction 
of the intended concrete semantics. 

— The partial correctness of a program P w.r.t. a specification Sa can be 
expressed as 

a(lfPc(7p)) < (1) 

— Since condition 0 requires the computation of the concrete fixpoint seman- 
tics, this condition is not effectively computable. Then, we can prove instead 
the condition 

Upj,{T^)<Sa (2) 

which implies partial correctness. Note that the new verification condition 
does not require the computation of the concrete fixpoint semantics. However 
an abstract fixpoint computation is still needed. 

— A simpler condition, which is the abstract version of the Park’s fixpoint 
induetion condition [20 1 . is suffieient for ([2|) and, therefore, for partial cor- 
rectness to hold, 

T^{Sa) < Sa. ( 3 ) 

Following the above approach, we can define a verification framework paramet- 
ric with respect to the (abstract) property we want to model. Given a specific 
property, the corresponding verification conditions are systematically derived 
from the framework and guaranteed to be indeed sufficient partial correctness 
conditions. 

An important result is that, following our abstract interpretation approach, 
the issue of completeness of a verification method can be addressed in terms 
of properties of the chosen abstract interpretation. In general, in fact, given an 
inductive proof method, if a program is correct with respect to a specification S 
(i.e., if (HJ is satisfied) the sufficient condition (0 might not hold for S. However, 
if the method is eomplete, then when the program is correct with respect to S, 
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let rec fflgnx=if n=0 then g(x) 

else f (fl) (function x -> (function h -> g(h(x)))) (n-1) 



Fig. 1. The recursive function /. 



there exists a property X, stronger than S, which verifies the sufficient condition. 
mm proved that the method is complete if and only if the abstraction is 
precise with respect to Tp, that is if a(lfpc(7^)) = IfpA(T^)- This approach 
allows us to use some standard methods (see for example m), which allow us 
to systematically enrich a domain of properties so as to obtain an abstraction 
which is fully precise {a ■ F = F°‘ ■ a) w.r.t. a given function F. Since full 
precision w.r.t. the semantic function Tp implies precision with respect to Tp, 
these methods can be viewed as the basis for the systematic development of 
complete proof methods. 

2 Sufficient Verification Conditions 

As we have already pointed out, trying to prove condition o leads to a non- 
effective verification method. This is due to the fact that o requires the com- 
putation of the concrete fixpoint semantics, which, in general, is not effective. 
A verification method based on condition 0 is effective only if the abstract 
domain is Noetherian or otherwise if we use widening operators to ensure the 
termination of the computation of the abstract fixpoint semantics. This is the 
approach adopted, for example, in the verifier of the Ciao Prolog Development 
System 0. 

Even if the methods based on condition © may seem stronger than the 
methods based on condition this is not always the case. When the domain 
is non-Noetherian the use of widening operators leads to an unavoidable loss of 
precision, which, in some case, makes condition ([2]) weaker than condition ©• 
We will show an example of this in the case of the polymorphic type domain 
for functional languages considered in Section IH.2I In particular we will show 
that, using a verification method based on condition (|2|) with the ML widening, 
it is not possible to prove that the function in Figure [fihas type (‘a — >■ ‘a) — >■ 
(‘a — >■ T) — >■ int — >■ ‘o — >■ ‘6 while it is possible using condition (|3|. Moreover, 
even when the abstract domain is Noetherian, the computation of the abstract 
fixpoint semantics may be very expensive. 

On the contrary, the inductive verification method based on (sufficient) con- 
dition m does not require the computation of fixpoints. Therefore proving 
Tp“(5„) < Sa is, in general, not expensive even for complex abstract domains. 
Moreover, when the function Tp can be viewed as the union of functions Tf‘ de- 
fined on the primitive components of a program, using condition |3|) has another 
advantage. Proving condition Tp{Sa) < boils down to verifying Tf‘{Sa) < Sa 
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for every c of P. In this case, this allows us to prove m compositionally. For 
example, in logic programming the condition Tp{Sa) < Sq, can be verified by 
proving for each clause c £ P, T^^y{Sa) < Sa- This approach is also useful for 
abstract debugging |S]. If, in the compositional proof of Tp{Sa) < Sa we fail in 
the program component c, there is a possible bug in c. 

For all the above reasons, we consider verification methods based on condi- 
tion ©• Therefore, in order to derive effective verification methods we need to 
choose an abstract domain (A, <) where 

— the intended abstract behavior (specification) 5^ S A has a finite represen- 
tation; 

— < is a decidable relation. 

This allows us to use, in addition to all the Noetherian abstract domains used 
in static analysis, non-Noetherian domains (such as polymorphic type domains 
for functional languages), which lead to finite abstract semantics, and finite 
representations of properties. 

Hence, every time we have a static analysis computed by a fixpoint ab- 
stract semantics operator, we can systematically realize a verifier based on con- 
ditions ®. We only need to realize the < operation on the abstract domain A. 
The verifier is a tool which applies once the abstract fixpoint semantic operator 
to the user specification 5^ G A and verifies that the result is indeed < Sa- 
in this paper we show how easy this process can be by showing three different 
examples. All verification tools we will present here are obtained by starting from 
static analyzers defined on type domains. We prove that our approach is very 
general and flexible by defining verifications tools for three different paradigms: 
Functional, Logic and Constraint Logic Programming. In particular, the ver- 
ification tool for functional programming, presented in Section is obtained 
from a static analyzer which implements one of the polymorphic type domains 
introduced by Cousot in j^. The verification tool for logic programming, pre- 
sented in Section 131 is obtained from a static analyzer on a type domain designed 
by Codish and Lagoon [3]. Finally, the verifier for CLP programs, presented in 
Section |5] is obtained starting from the type analyzer described in ED- 

3 Type Inference in Higher Order Fnnctional Languages 

As we will show in the following, the “higher-order types” abstract domain is 
non-Noetherian. This is therefore a typical case of application of our approach 
based on the effective sufficient condition ©, which does not require fixpoint 
computations. 

Our language is a small variation of untyped A-calculus as considered in [S] . 
jS] shows that several known type systems and corresponding type inference 
algorithms can systematically be derived from (the collecting version of) a con- 
crete denotational semantics. The main advantage of the abstract interpretation 
approach to type inference is that the type abstract interpreters are correct, by 
construction, w.r.t. the concrete semantics. This means that “the type of the 
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concrete value computed by the concrete semantics is in general more precise 
than the type computed by the type abstract interpreter”. As it is often the 
case with abstract interpretation, approximation is introduced by abstract com- 
putations. By looking at the relation between the concrete semantics and the 
abstract interpreters, we can reason about the relative precision of different type 
inference algorithms. 

The traditional point of view of type systems is quite different, since type 
inference is viewed as an extension of syntactic analysis. Namely, the (concrete) 
semantics is only defined for those programs which can be typed. Traditional type 
inference algorithms do also introduce approximation. However this cannot be 
directly related to a concrete semantics, because the latter is based on the result 
of type inference. The result is that there exist programs which cannot be typed, 
yet would have a well-defined concrete semantics, i.e., there exist non-typable 
programs which would never go wrong, if provided with a concrete semantics 
with “ dynamic” type checking. Let us look at a couple of examples, where we 
use the ML syntax. The ML expression (taken from [5]) 

let rec fflgnx=if n=0 then g(x) 

else f (fl) (function x -> (function h -> g(h(x)))) (n-1) x fl 
in f (function x -> x+1) (function x -> x+1) 10 5;; 

This expression has type (’a -> ’a) -> ’b but is here used with type ’b. 

which is an application of the function / of Figure [II cannot be typed by the 
Damas-Milner’s algorithm [^. By using a concrete semantics with “dynamic” 
type checking, we would obtain a correct concrete result (-: int=16). 

The expression is indeed a type correct application of the function 
f fl g n X = g{fi{x)) which has the type (‘a ‘a) —>■ (‘a —>■ ‘b) —>■ int — >• ‘a — >■ 

‘b. As we will see in the following, the function cannot be typed by the Damas- 
Milner’s algorithm, because of an approximation related to recursive functions. 
The same approximation does not allow the Damas-Milner’s algorithm to type 
the expression 

# let rec f x = x and g x = f (1+x) in f f 2; ; 

This expression has type int -> int but is here used with type int 

Because of the approximation related to the “syntactic” mutual recursion, the 
type assigned to / is int — >■ int rather than ‘a — >■ ‘a. Again a concrete se- 
mantics with dynamic type checking, would compute a correct concrete result 
(-: int=2). The abstract interpreter considered in the next section, succeeds in 
correctly typing the above expressions and is, therefore, more precise than the 
Damas-Milner’s algorithm. 

3.1 A Type Abstract Interpreter 

Following the approach in [^, we have developed (and implemented in OCAML 
m) several abstract interpreters for inferring principal types, represented as 
Herbrand terms with variables, for various notions of types (monomorphic types 
a la Bindley, let polymorphism and polymorphic recursion). 
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For the current presentation we will represent programs using the syntax of 
ML. Since we will sometimes compare our results with those obtained by the 
Damas-Milner’s algorithm, we will just consider the let-polymorphic abstract 
interpreter 0, which corresponds to the ML type system. 

The language has one basic type only: int. Types are Herbrand terms, built 
with the basic type int, variables and the (functional) type constructor — >■. 

The actual domain of the abstract interpreter is more complex, and con- 
tains explicitly quantified terms and constraints. For the sake of our discussion, 
abstract values will simply be (equivalence classes under variable renaming of) 
terms. The partial order relation is the usual instantiation relation, i.e., ti < t 2 if 
t 2 is an instance of ti. Note that the resulting abstract domain is non-Noetherian 
since there exist infinite ascending chains. 

Our let-polymorphic type interpreter turns out to be essentially equivalent 
to the Damas-Milner’s algorithm, with one important difference, related to the 
abstract semantics of recursive functions. Such a semantics should in principle re- 
quire a least fixpoint computation. However since the domain is non-Noetherian, 
the fixpoint cannot, in general, be reached in finitely many iterations. The prob- 
lem is solved in the Damas-Milner’s algorithm, by using a widening operator 
(based on unification) after the first iteration. Widening operators [12] give an 
upper approximation of the least fixpoint and guarantee termination by intro- 
ducing further approximation. We apply the same widening operator after k 
iterations. This allows us to get often the least fixpoint and, in any case, to 
achieve a better precision. 

The “let” and “let rec” constructs are handled as “declarations”; the ab- 
stract semantic evaluation function for declarations has the following type 
semd : declaration — >■ env — >■ int — >■ env, where env is the domain of abstract 
environments, which associates types to identifiers and the integer parameter is 
used to control the approximation of the widening operator. 

We now show the analysis of a recursive function pi which computes 
nn=a/(^)- result is an environment where the function identifier pi is 
bound to its inferred type. 

# semd (let rec pi f a b = 

if (a - (b +1) = 0) then 1 else (f a) * (pi f (a +1) b) ) [] 0;; 

- : env = [ pi <- (int -> int) -> int -> int -> int ] 

Consider now the recursive function / in Figure [I] The evaluation of the 
abstract semantic evaluation function semd with the control parameter set to 0, 
gives us the result of the Damas-Milner’s algorithm, i.e., / cannot be typed. 

# semd (let rec fflgnx=if n=0 then g(x) 

else f (fl) (function x -> (function h ->g(h(x)))) (n-1) x fl) [] 0;; 

- : env = [ f <- Notype ] 

^ The abstract syntax of the language, together with the concrete semantics, the im- 
plementation of the abstract domain and the resulting abstract interpreter can be 
found at (http://www.di.unipi.it/~levi/typesav/paginal.html). 
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However, the application of semd with the control parameter set to 3 computes 
the (following) right type for /, which is indeed the least fixpoint. 

# semd (let rec fflgnx=if n=0 then g(x) 

else f (fl) (function x -> (function h -> g(h(x)))) (n-1) x fl) [] 3;; 

- : env = [ f <- (’a -> ’a) -> (’a -> ’b) -> int -> ’a -> ’b ] 

When the control parameter to —1, the system will try to compute the least 
fixpoint without using the widening operator. 

3.2 From the Type Interpreter to the Type Verifier 

Once we have the abstract semantic evaluation function semd, we can easily use 
it for program verification, by taking an abstract environment as specification 
(abstraction of the intended semantics). Assume we want to verify a declaration d 
w.r.t. a specification S, by “implementing” the sufficient condition (|3]) {Tp{Sa) < 
Sa) where, < is the lifting to abstract environments of the partial order relation 
on terms. The application of the abstract semantic evaluation to the specification 
can be implemented as follows: 

1. if d = (let f = e) is the declaration of a non recursive function /, semd d s k 
returns a new environment S' , where / is bound to the type computed by 
assuming that all the global names have the types given in the specification. 

2. if d = (let rec / = e) is a declaration of a recursive function /, semd (let f = 
e) s k returns a new environment S' , where / is bound to the type computed, 
by assuming that all the global names and f have the types given in the 
specification. In other words, we take the type for / given in the specification 
and we evaluate once the body of the recursive function, to get a new type 
for /. Note that we abstractly execute the recursive function body just once 
and we do not compute the fixpoint. Note also that the control parameter 
is possibly used only for approximating fixpoints corresponding to recursive 
functions occurring within e. 

We are then left with the problem of establishing whether S' < S. Since S' 
can only be different from S in the denotation of /, we can just show that S(f) 
is an instance of S'(f). The verification method can then be implemented by a 
function checkd : declaration — >■ specification — >■ int — >■ bool consisting of three 
lines of ML code. 

It is worth noting that checkd allow us to verify a program consisting of a 
list of function declarations in a modular way. Each declaration is verified in 
a separate step, by using the specification for determining the types of global 
identifiers. 

We have also implemented the verification condition d2D (IfpA(T^) < 5^) by 
an even simpler ML function checkdf : declarationlist — >■ type — >■ int — >■ bool, 
which requires the computation of the abstract semantics (and therefore needs 
a closed program, i.e., a list of declarations). The specification Sa is now the 
intended type of the last identifier in the list. In the following section we show 
and discuss some examples. 
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3.3 Examples 

We show now two examples of verification (through checkd) of pi: in the second 
example, the verification fails since the type given in the specification is too 
general. 

# checkd (let rec pi f a b = if (a - (b +1) = 0) then 1 else 

(f a) * (pi f (a +1) b))[ pi <- (int -> int) -> int -> int -> int ] 0;; 

- : bool = true 

# checkd (let rec pi f a b = if (a - (b +1) = 0) then 1 else 

(f a) * (pi f (a +1) b))[ pi <- (’a -> ’a) -> ’a -> ’a -> ’a ] 0;; 

- : bool = false 

We can consider also the verification of the traditional identity function id. Note 
that id is also correct w.r.t. a specification which is an instance of the correct 
principal type. 

# checkd (let id x = x) [ id <- ’a -> ’a ] 0;; 

- : bool = true 

# checkd (let id x = x) [ id <- int -> int ] 0; ; 

- : bool = true 

Now we verify a function, which is intended to compute the factorial and which 
is defined by a suitable composition of pi and id. In the verification, we use the 
specification rather than the semantics for pi and id. 

# checkd (let fact = pi id 1) [ pi <- (int->int)->int->int->int ; 

id <- ’a -> ’a; fact <- int -> int ] 0;; 

- : bool = true 

If we use checkdf rather than checkd, we need to provide the complete set of 
declarations. Note that if we use a wrong definition for id, this turns out as an 
error in fact. 

# checkdf [let id x = x; let rec pi f a b = if (a - (b +1) = 0) then 1 
else (f a) * (pi f (a +1) b));let rec fact = pi id 1] (int-> int) 0;; 

- : bool = true 

# checkdf [let id x y= x; let rec pi f a b = if (a - (b +1) = 0) then 1 
else (f a) * (pi f (a +1) b)); let rec fact = pi id 1] (int-> int) 0;; 

- : bool = false 

Now we show an example involving polymorphism, where two occurrences of the 
polymorphic function id take different instances of the type in the specification. 

# checkd (let g = id id) [ id <- ’a -> ’a; g <- ’b -> ’b ] 0;; 

- : bool = true 

# checkd (let g = id id) [ id <- ’a -> ’a; g <- ( ’b-> ’b)-> ( ’b-> ’b) ] 0;; 

- : bool = true 

In Figure 12] we consider again the recursive function / of Figure (T] We now 
show that if we use the verification condition defined by checkdf (with widening 
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# checkdf [let rec fflgnx=if n=0 then g(x) 

else f (fl) (function x -> (function h -> g(h(x)))) (n-1) x fl] 
( (’a -> ’a) -> (’a -> ’b) -> int -> ’a -> ’b ) 0;; 

- : bool = false 

# checkddet rec fflgnx = if n=0 then g(x) 

else f (fl) (function x -> (function h -> g(h(x)))) (n-1) x fl) 

[ f <- (’a -> ’a) -> (’a -> ’b) -> int -> ’a -> ’b ] 0;; 

- : bool = true 



Fig. 2. Verification of the recursive function /. 



# checkddet rec fflgnx = if n=0 then g(x) 

else f (fl) (function x -> (function h -> g(h(x)))) (n-1) x fl) 

[ f <- (int -> int) -> (int -> int) -> int -> int -> int ] 0;; 
- : bool = false 

# checkdf [let rec fflgnx=if n=0 then g(x) 

else f (fl) (function x -> (function h -> g(h(x)))) (n-1) x fl] 
((int -> int) -> (int -> int) -> int -> int -> int ) (-1);; 



- : bool = true 

# checkddet g = (let rec fflgnx = if n=0 then g(x) 

else f (fl) (function x -> (function h -> g(h(x)))) (n-1) x fl 
in f) (function x -> x + 1)) 

[ g <- (int -> int) -> int -> int -> int ] (-1) ; ; 

- : bool = true 



Fig. 3. Verification of the recursive function /. 



control parameter set to 0), we fail in establishing the correctness w.r.t. the 
principal type (since, as we have already shown, the Damas-Milner’s algorithm 
fails). On the contrary, the verification condition defined by checkd succeeds. 

In Figure E] we show some aspects related to the incompleteness of the ver- 
ification method defined by checkd, still in the case of the function / of Figure 
12 In fact, checkd fails to establishing the correctness of / w.r.t. a specification 
in which all the variables in the principal type are instantiated to int. If we 
use the stronger verification method, based on the computation of the fixpoint 
(condition d2J, without widening), we succeed. The last example shows that if 
we verify a specific application of /, we succeed again even with checkd, because 
the recursive definition, being inside a declaration, leads anyway to a fixpoint 
computation. 

Let us finally consider the issue of termination. The recursive function in 
the first example of Figure S]is not typed by ML. If we try to verify it w.r.t. a 
specification assigning to it the type ‘a — >■ ‘a, we correctly fail by using both the 
verification method based on condition m and the verification method based 
on condition m with widening. If we apply the condition ((2D without widening, 
the verification process does not terminate. 
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# let rec f x = f ; ; 

This expression has type ’a -> ’b but is here used with type ’b 



# 


checkd (let rec f x = 


^ f) [ f <- ’ 


'a -> 


’a ] 0; 


- 


: bool = false 








# 


checkdf [let rec f x 


= f] (’a -> 


'a ) 


10; ; 


- 


: bool = false 








# 


checkdf [let rec f x 


= f] (’a -> 


'a ) 


(-1);; 



Interrupted. 



Fig. 4. Verification of the non terminating function /. 



4 Type Verification in Logic Langnages 



In this section we will show an example of transformation of an analyzer for 
logic programming into a verifier. As in the case of functional programming we 
will consider an abstract domain of types. This domain of types for logic pro- 
gramming was introduced in [S]. In order to formally introduce it, we have first 
to define the abstraction from concrete terms to type terms. Type terms in this 
domain are associative, commutative and idempotent. They are built using a 
binary set constructor -|- and a collection of monomorphic and polymorphic de- 
scription symbols. The monomorphic symbols are constants (e.g. numjO, nil/0) 
and the polymorphic symbols are unary (e.g. list /I). Intuitively, the description 
symbols represent sets of function symbols in the corresponding concrete alpha- 
bet. For example, the description symbol list might be defined to represent the 
cons/2 symbol in the concrete alphabet and the description symbol num might 
represent the symbols 0, 1, etc. The abstraction function is defined by induction 
on terms: 



/ 

X 



T{t) := < 



num 

nil 

list{T{ti)) + r(t2) 
other 



if t is the variable X 
if t is a number 
if [] 
if t = [ti\t2] 
otherwise 



Thus, the abstractions of terms [—3,0,7], [X, F] and [X\Y] are list{num) + nil, 
list{X) + list{Y) + nil and list(X) + Y respectively. 

Abstract atoms are simply built with abstract terms, and r(p(ti, . . . , t„)) := 
p{T{t\), . . . ,T{tn))- Our abstract domain will be the types domain T>r, which is 
the power-set of abstract atoms ordered by set inclusion. 



4.1 Prom the Type Analyzer to the Type Verifier 

We have already discussed how, once we have the abstract semantic evaluation 
function l~p, we can easily define a verification method based on condition (0). 
Actually, depending on the chosen evaluation function l~p , we can prove partial 
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correctness of a program w.r.t. different properties. For example, we can prove 
that a program P is correct w.r.t. the intended types of the successful atoms 
or w.r.t. the intended types of the computed answers and so on. More concrete 
the semantic evaluation functions lead to stronger verification methods. Here, 
in order to show some interesting examples we consider a very strong method: 
the I/O and call correctness method over the type domain. It is obtained by 
instantiating the Tp semantic evaluation function of condition ([3|) with an ab- 
stract semantic operator which is able to model the functional type dependencies 
between the initial and the resulting bindings for the variables of the goal plus 
information on call patterns. Specifications are therefore pairs of pre and post 
conditions, which describe the intended input-output type dependencies. They 
are formalized as partial functions from GAtoms (the set of all generic atoms) 
to the domain T>r (denoted by At- := [GAtoms 2?r]) and are ordered by Cl, 
the pointwise extension of C on A,-. 

Proving condition m guarantees that for every procedure the post condition 
holds whenever the pre conditions are satisfied and that the pre conditions are 
satisfied by all the procedure calls. It is worth noting that the verification condi- 
tions, obtained in this case from condition m are a slight generalization of the 
ones defined by the Drabent-Maluszynski method M- 

We have developed a prototype verifier 0 which is able to test our ver- 
ification conditions on the types domain. The verifier is obtained by using 
the existing abstract operations defined in the type analyzer implemented by 
Lagoon 0. The verification method can then be implemented by a function 
verifylOcall : clause — )> InputSpec — >■ OutputSpec bool consisting in several 
Prolog predicates which implement condition ([3| in case of a Tp function which 
models the type dependencies of I/O and call pattern [^. The code turns out 
to essentially compute ACI-unification between the abstractions of the atoms of 
a clause and all the matching items of the specification. Since the T operation 
on At- is the pointwise extension of subset inclusion, the resulting set (which is 
necessarily finite) is then checked to be a subset of the specification. 

In the following section we show and discuss some examples. 



4.2 Examples 

The queens program of Figure |5] is proved to be correct w.r.t. the following 
intended specification w.r.t. the type domain At-. 

As we have already pointed out, the verification method based on condi- 
tion m is compositional. Therefore, in order to perform the I/O and call cor- 
rectness verification, we apply the predicate verifylOcall to the clause to be 
verified and to the pre-post program specifications (both given as lists of type 
atoms). In this way, if the predicate verifylOcall returns false we can have a hint 

® Available at URL: 

(http : //www. dimi .uniud. it /“comini/ Projects/PolyTypesVerif ier/). 

Available at URL: 

(http : //www. cs .bgu. ac . il/~mcodish/ Software/ aci-types-poly . tgz). 
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cl: queens(X,Y) perm(X,Y), safe(Y) . 

c2: perm( [],[]). 

c3: perm( [X I Y] , [V iRes] ) delete(V, [X| Y] .Rest) , perm(Rest ,Res) . 
c4: deleteCX, [X|Y] ,Y) . 

c5: deleteCX, [FIT] , [FIR] ) delete(X,T,R) . 
c6 : saf e ( [] ) . 

c7 : safe([X|Y]) noattack(X,Y, 1) , safe(Y). 
c8: noattackCX, [] ,N) . 

c9: noattackCX, [FIT] ,N) X =\= F, X =\= F + N, F =\= X + N, 

N1 is N + 1, noattackCX, T, Nl) . 



Fig. 5. The queens program 



’ queens{X, Y) 
perm{X,Y) 

^ delete{X,Y) 

safe{X,Y) H4- 

noattack{X, Y, Z) H4- 



queens{X, Y) 
perm{X,Y) 

delete{X,Y) 
safe{X,Y) h-1 



5 ? := <! 



noattack (X, Y, Z) 



{^queens{nil + Ust{num),T), queens (nil, T)} 
{perm (nil + list(num),T),perm{nil,T){ 
{delete(T, nil + list(num), U), delete(T, nil, U)} 
{sa/e(ra[ + list(num)), safe{nil){ 

{ noattack (num, nil, num), 1 

noattack(num, nil + list(num), num) f 

! queens (nil, nil), 

queens(nil + list(num), nil + list(num)) 
perm(nil,nil), 1 

perm(nil + list(num), nil + list (num)) j 

{ delete(num, nil + list(num), nil), 
delete(num, nil + list(num), nil + list(num)) 
{safe(nil + list(num)), safe(nil)} 

{ noattack (num, nil, num), 
noattack(num, nil + list(num), num 



on the clause that may be wrong. In the following, for the sake of readability, we 
have chosen to skip the specification arguments in the calls to the tool (except 
for the first). We can now prove that the queens program is correct w.r.t. the 
I/O and call correctness conditions. 

I ?- verifylOcall C CqueensCX.Y) permCX.Y), safeCY)), 

[queens Cnil+list Cnum) ,U) , queensCnil.U) , 

permCnil+list Cnum) ,U) , permCnil ,U) , safe Cnil+list Cnum) ) , safeCnil), 
deleteCT.nil+listCnum) ,U) , delete CT, nil ,U) , 
noattackCnum.nil.num) , noattackCnum,nil+list Cnum) , num)] , 

[queens Cnil+list Cnum) ,nil+list Cnum) ) , queens Cnil ,nil) , 
perm Cnil+list Cnum) ,nil+list Cnum) ) , perm Cnil, nil) , 
delete Cnum, nil+list Cnum) ,nil+list Cnum) ) , 

deleteCnum.nil+listCnum) ,nil) , saf e Cnil+list Cnum) ) , safeCnil), 
noattackCnum.nil.num) , noattack Cnum, nil+list Cnum) ,num)] ) . 

Clause is OK. 
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: -entry nqueens (int , any) . 

nqueens(N,List) : - length(List,N) , List::l..N, constraint_queens (List) , 
labeling (List , O,most_constrained, indomain) . 
constraint_queens ( [X I Y] ) : - safe(X,Y)D. constraint_queens (Y) . 
constraint_queens ( [] ) . 

safe(X, [Y|T] ,K) noattack(X.Y.K) , K1 is K+1, safe(T,Y,Kl) . 
safe(_, [],_). 

noattack(X,Y,K) X #\= Y, Y #\= X+K, X #\= Y+K. 



Fig. 6. The CHIP queens program 



The same answer is given for all the other clauses of the program. 

Note that if we change the order of the atoms in the body of clause cl we 
obtain the clause cl’: queens(X,Y) safe(Y), perm(X,Y) which can no 
longer be proved correct w.r.t. the considered specification. Indeed, now Y in 
the call safe{Y) is not assured to be a list of numbers. The tool detects that 
there is something potentially wrong 

I ?- verifylOcall ( (queens(X, Y) : -saf e(Y) ,perm(X, Y) ) , [...],[...]). 

Clause may be wrong because call safe(U) (atom number 1 of body) is not 
in the call-specification. 



5 Type Verification in Constraint Logic Languages 

Another example of the transformation methodology of an analyzer is jl], where 
the resulting tool is employed to diagnose CHIP programs w.r.t. type informa- 
tion. Types are over-approximations of program semantics. This is the descrip- 
tive approach to types. The abstract domain is a space of types, described by a 
restricted class of CLP programs called regular unary constraint logic (RULC) 
programs [ini. This class is a generalization to constraint logic programming of 
regular unary programs (used by [17116] ). Thus, the specification ^ is a RULC 
program and the abstract immediate consequence operator is the one operating 
on RULC programs of [ig. If the type generated for the head of a clause c by 
7^“j(S') is not a subtype of the corresponding predicate in S, then the clause is 
responsible of generating wrong type information. S is given “by need” by query- 
ing the user about the correctness of the actual semantics (which is computed 
by the analyzer land (in case is needed) about the intended types. 

A prototype 1£1 of the type diagnoser has been implemented as an extension of 
the type analyzer of CHIP programs of m- Consider the wrong CHIP version of 
the queens program of Figure[B] The call safe(X,T,Kl) in the recursive defini- 
tion of safe has been replaced by the wrong call saf e(T,Y,Kl) . The interaction 
with the call-success diagnoser is as in the following. 

® Available at URL: (http://www.ida.liu.se/~pawpi/Diagnoser/diagnoser.html). 
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Do you like Call-Type constraint_queens (list (anyf d) ) ? YES 
Do you like Call-Type safe (list (anyf d) , list (anyf d) , int) ? NO 
What should it be? anyfd, list(anyfd), int. 

Do you like Succ-Type safe (list (anyfd) ,[], int) ? NO 
What should it be? anyfd, list(anyfd), int. 

Do you like Succ-type constraint _queens ( ([]|[anyfd]) )? NO 
what should it be? list (anyfd). 

Do you like Succ-Type noattack(anyfd, anyfd, int)? YES 

Diagnoser WARNING: Clause "safe(X, [Y|T] ,K) :- noattack(X,Y,K) , K1 is K+1, 
safe(T,Y,Kl) " suspiciuos because of atom safe(T, Y, Kl) . 

Do you like Call-Type noattack(list (anyf d) , anyf d, int) ? NO 
What should it be? anyfd, anyfd, int. 

Do you like Succ-Type nqueens (nnegint , ( [] I [anyfd] ) )? NO 
What should it be? int, list (int). 

End of diagnosis, no (more) warnings. 

Thus we are warned about the (only) incorrect clause of the program. 

6 Conclusions 

Based on the theory of abstract verification, as proposed in |S], we have shown 
how it is possible and “easy” to transform static analyzers (with suitable prop- 
erties) into automatic verifiers. In this paper we have presented three different 
verification tools based on different type domains for functional, logic and CLP 
programming. However, our abstract verification approach is general and flexi- 
ble. Existing static analyzers can be transformed into verification tools dealing 
with different abstract domains for different programming paradigms, provided 
the analyzers are defined as construction of abstract fixpoint semantics. 
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Abstract. The Andorra Model is a computation model to improve the 
efficiency of Prolog programs as well as to exploit parallelism. The model 
was designed in two stages: the basic model and the extended model. The 
major difference between the two is that a binding determinacy principle 
replaced the original clause determinacy principle, and an and-or box 
rewriting computation replaced the traditional resolution. 

This work aims to tackle some unsolved problems left in the Extended 
Andorra Model. We propose to replace the original and-or box rewriting 
method by a targeted search. The search is called targeted because we 
only look for possible solutions of certain specified variables. The vari- 
ables shared between different local computations can be dynamically 
changed to finite domain variables after the targeted search, and their 
consistency checked eagerly. Therefore, many unnecessary or-branches 
can be pruned at an early stage. A special feature of our domain vari- 
able is that we allow a domain to contain non-ground compound terms, 
i.e., open structures. Variables within these open structures can also be- 
come domain variables, leading to nested domain variables. 

We have tested our idea by an experimental implementation under SIC- 
Stus Prolog, and obtained very encouraging results. 



1 Introduction 



The Andorra model is a computation model designed to exploit both and- and 
or-parallelism in logic programs. It is also an execution model to improve the effi- 
ciency of Prolog programs by introducing new control strategies. The model was 
designed in two phases: the basic model and the extended model. The Basic An- 
dorra Model is based on clause determinacy. That is, goals which do not create a 
choice point (i.e., determinate goals) are always eagerly executed. The Andorra- 
I system [dl9llUll4] . a prototype of the Basic Andorra Model, was successfully 
developed by a research group led by David Warren at Bristol University. Al- 
though the Basic Andorra Model can reduce search space for many types of 
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application, it is powerless for applications with so-called independent and- par- 
allelism. In the Extended Andorra Model [13| . a binding determinacy principle 
replaced the original clause determinacy principle, and an and-or box rewriting 
computation replaced traditional resolution. This was regarded as an interesting 
and promising idea, but it needed more study and investigation. Meanwhile, a 
team of researchers at SICS was working on a similar idea but with explicit 
control. The outcome of this was a powerful new logic programming language, 
Andorra Kernel Language [S] . However, creating a new language was not a ma- 
jor focus for the Bristol team. David Warren’s interest was to explore the model 
with implicit control. Unfortunately, the Extended Andorra Model with implicit 
control was not able to be put into practice because of lack of funding. 

In this paper, we present our recent work on the Extended Andorra Model. 
The work aims to tackle some unsolved problems left in the model. The focus 
is not parallelization of logic programs. The focus is to investigate efficient con- 
trol strategies and data structures. We propose to replace the original and-or 
box rewriting method by a targeted search. The search is called targeted search 
because we only look for possible solutions of certain specified variables. The vari- 
ables shared between different local computations can be dynamically changed 
to finite domain variables after the local search. The consistency of these do- 
main variables is checked eagerly. Therefore, many unnecessary or-branches can 
be pruned at an early stage. A special feature of our domain variable is that we 
allow a domain to contain non-ground compound terms, i.e., open structures. 
Variables within these open structures can also become domain variables, leading 
to nested domain variables. 

We have tested our idea by an experimental implementation under SICStus 
Prolog. The result is encouraging. 

The rest of the paper is organized as follows. Section 2 summarizes the An- 
dorra Model to make the paper self-contained. Section 3 presents our revised 
model. A large proportion of this section is to explain the idea of nested domain 
variables. In Section 4, implementation issues are discussed. Section 5 presents 
some test results. Related work is discussed in the following section, while the 
final section gives some conclusions. 

2 Andorra Model 

In the Basic Andorra Model, all determinate goals (i.e., goals which do not create 
choicepoints) are first executed concurrently. When no determinate goals are left, 
one goal is selected to fork or-branches, on each of which some goals may become 
determinate. The computation switches between these two phases. 

The Extended Andorra Model aimed to improve on the basic model by al- 
lowing some non-determinate goals to run concurrently and eagerly, provided 
that these non-determinate goals do not bind external variables. In order to ma- 
nipulate multiple local non-determinate computations, an and-or box rewriting 
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scheme was designed. From the implementation point of view, the system would 
no longer be stack based, but would be a breadth-first tree based system with 
some intelligent control. 

The Andorra Kernel Language [Sj uses the Andorra principle as the compu- 
tational model but the programming language is a guarded committed-choice 
one, rather than Prolog. The language introduces non-determinate deep guards, 
by which the user can explicitly define which goals can be searched locally. Al- 
though the work on AKL has been overtaken by the Oz project [5], AKL’s core 
idea remains. 



3 Our Revised Model 

3.1 A General Description of the Model 

The revised Andorra model has three computation phases: determinate execu- 
tion, targeted search, and global forking. The computation flow is as shown in 
Figure [U 



start 




if have determinate goals 



Fig. 1. Three phases in our model 



The determinate phase is exactly the same as that of the Basic Andorra 
Model. When there is no determinate goal left, we enter the targeted search 
phase. The purpose of this phase is to eagerly collect solutions or partial solutions 
where it is beneficial and not too expensive. The idea is similar to the lookahead 
technique except that lookahead is used to reduce existing domains for 

a variable while our target search can also generate a domain for an unbound 
variable. 

We impose some conditions on which goals are eligible for targeted search. 
Taking the classic Prolog program member /2 as an example. 
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member (X, [X| _] ) . 

member (X, [_ I T] ): - member (X,T). 

the condition for member /2 to perform targeted search could be that the second 
argument is a ground list. We assume that this kind of condition may be obtained 
by compile-time analysis or by a user declaration. During the targeted search 
phase, all goals satisfying the targeted search condition are executed. 

To illustrate our model, we use a very simple query which finds common 
numbers that belong to both the primes list and the fibonacci list (the size of 
both lists is 1000). 

?- primes(1000,Ll) , member (X, LI) , fib(1000,L2) , member(X,L2) 

If the above query is run under Prolog, all goals are executed left-to-right and 
depth-first. As it is not a well-ordered query, the computation for fib(1000,L2) 
is repeated unnecessarily. 

Under the Basic Andorra Model, the two determinate goals, 
primes(1000,Ll) and f ib(1000,L2), are executed first. Then the value 
of X is obtained through backtracking, avoiding the problem caused by badly 
ordered queries. Our new model executes the two determinate goals in exactly 
the same way as the Basic Andorra Model, but after this we enter the targeted 
search phase instead of making a global choicepoint. We evaluate the two 
member goals and produce a set of possible bindings for the variable X. Note 
that for this example although the global forking is avoid, the targeted search 
does not save computation effort. That is, it needs the same computation steps 
as the Basic Andorra Model does. In the next subsection, we will show the real 
advantages of the targeted search. 



3.2 Targeted Search 

Why is targeted search necessary? When is it necessary? The simple example 
given in the last subsection does not show a great deal of its advantages. The 
following is a more convincing example taken from [?]. Assume that we have a 
world geometry database and suppose that we need to find two countries, one 
in Africa and one in Asia, such that both countries are situated on the coast of 
the same ocean. This can be expressed by the following Prolog query: 

?- ocean(X) , borders(X,Cl) , country(Cl), in(Cl , africa) , 
borders(X,C2) , country(C2), in(C2,asia). 

When the query is executed by Prolog, much unnecessary backtracking takes 
place. For instance, when ocean(X) returns a solution atlantic to variable X, 
the computation eventually fails at the last goal in(C2,asia). Ideally, at this 
point, we would hope to retry oceEuiCX) . However, Prolog has to backtrack to the 
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latest choicepoint, borders (X, Cl). Therefore, all computation to produce many 
new countries bordering atlantic is actually wasted. This is a typical example 
of independent and-parallelism, where Prolog’s chronological backtracking faces 
a real defeat and so does the Basic Andorra Model. 

The Extended Andorra Model was partly motivated by the need to tackle 
this kind of problem. The actual approach proposed [T^ was to construct 
an and-or tree and allow some local non-determinate computations to execute 
simultaneously provided that they do not create non-determinate bindings to 
external variables. One concern with this approach was the cost of rewriting 
the and-or tree. Moreover, under Warren’s implicit control, it was not clear how 
to identify whether a local search can eventually stop or at what point a local 
search should be stopped. 

In our revised model, we apply a local computation to collect the possible 
bindings for some specified variables. After the local computation, these variables 
are changed to finite domain variables. Assigning an unbound variable to a finite 
domain is a determinate binding, so it can be performed without any delay. 

Through program analysis, user annotation, or both, we can determine for 
which programs, with which condition, it is worth performing this kind of local 
computation. Most importantly, we need to make sure the search can be termi- 
nated. For example, in the world geography database, the borders/2 relation 
consists of nearly 1000 pairs. One possible criterion is to perform local compu- 
tation for a goal only if at least one of its arguments is bound. Alternatively, we 
might decide to allow local computation for any relation defined only by clauses 
with no body goals, such as borders/2, because local computation would always 
terminate. 

Now we make some concrete decisions. Assume that borders/2 and in/2 
can perform local computation when one of their arguments is a constant, while 
ocecin/1 and country/1 can perform local computation when their argument is 
either a constant or a finite domain variable. Then, under our model the above 
query is executed in the following way: 



?- ocean(X) , borders(X,Cl) , country(Cl), in(Cl , africa) , 
borders(X,C2) , country(C2), in(C2,asia). 

I 

I targeted search for in(Cl , africa) and 
I in(C2,asia) 



?- ocean.(X) , 



I Cl and C2 become domain variables 
V 

borders (X, Cl) , country(Cl), 
borders(X,C2) , country (C2) . 

I cont . 



(cont. from the last page) 
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targeted search for country(Cl) and 
country (C2) 



I the domain of Cl and C2 are reduced 
V 

?- ocean(X) , borders (X, Cl) , borders (X, C2) . 



I using ocecin(X) to make non-determinate forking 



/ \ 

/ 

/ X= 



X=indicLn_ocean 



\ X = 

\ souther_ocean 



/ arctic_ocean 



Cl=dvar( [djibouti, . . .] ) \ 

C2=dvar( [baingladesh, . . .] ) \ 



/ 



fail 



solutions found 



fail 



Alternatively, if an eager search strategy is used, we can apply targeted search 
to all goals in the query. Then we can enter the non-determinate forking by 
labelling the domain variable X. In either case, we can avoid unnecessary back- 
tracking. 

3.3 Nested Domain Variables 

The above example only demonstrates the simple case where the targeted search 
can return a set of constants. There are many other cases where the possible 
bindings of a variable are not constants, but compound terms with unbound 
variables. 

The following is an example given by David Warren m and also studied by 
other researchers [B]. 

sublist ( [],[]). 

sublist ( [XI L] , [XlLl] ) :- sublist (L, LI) . 
sublist (L, [_ I LI] ) sublist (L, LI) . 

?- sublist(L, [c,a,t,s] ) , sublist(L, [l,a,s,t] ) . 

Under Prolog’s left-right and depth-first execution order, the first goal gen- 
erates a sublist of a given list, and the second goal tests whether the sublist is 
also a sublist of another given list. The number of possible sublists of a given list 
L is 2" where n is the length of L. Therefore, the time complexity of the above 
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query is 0(2") under Prolog’s control strategy. A classical question is: can we 
improve the efficiency of an algorithm by changing only the control but not the 
logic? In the above example, if two goals can be executed concurrently (or in a 
coroutined way), then the test goal (i.e., the second sublist) can run eagerly 
to prevent unwanted sublists at an early stage. 

It would be no use if our targeted search on sublist returned all possible 
sublists. We should only search sublists with the first element filled as the first 
step, then search for the rest of the elements, one by one. This can be achieved by 
a “shallow” local search which only looks for possible bindings to the head of the 
sublist. That is, for instance, the shallow search on goal sublist(L, [c,a,t,s] ) 
returns 

L = dvar([],[c|_],[a|_],[t|_],[s|_]) 

During the search, the computation on the second clause 

(i.e., sublist ( [X|L] , [X|L1] ) sublist (L, LI)) 

stops after the head unification because the body goal no longer contributes to 
the first element of the list. 

Now we have a domain which contains some open-ended lists. This is a good 
place to explain our notion of nested domain variables. A nested domain variable 
has incomplete structures in its domain and these incomplete structures may 
contain domain variables. Going back to the example, all tail variables in the 
domain can become domain variables. This happens if targeted search is applied 
again, but this time it targets on the next element of the list. The domain of L 
would be updated to 



L = dvar ( [] , [c I dvar ( [] , [a I _] , [t I _] , [s I _] ) ] , 
[a|dvar([],[tL],[sL])], 
[t|dvar([],[sL])], 

[s]) 



So far, we have ignored the second sublist goal in the query. Its targeted 
search should be performed simultaneously with the first goal. Assuming that 
the targeted searches switch between the two goals, the solution for the variable 
L is produced in the following steps: 

Step 1. search on the first goal targeted on the first element 
L = dvar([],[c|J,[aL],[tL],[s|J) 

Step 2. search on the second goal targeted on the first element 

L’s domain obtained from step 1 is immediately visible from the second goal. 
Thus, this local search is actually to test existing domain values and remove 
inconsistent ones, if any. The following is L’s newly reduced domain: 



L = dvar([],[a|J,[tL],[sU) 
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Step 3. search on the first goal targeted on the second element 

L = dvar([], [a|dvar([],[t|_],[s|_])], [t I dvar( [] , [s I _] )] , [s] ) 

Step 4. search on the second goal targeted on the second element 
L = dvar([], [a|dvar([],[t|_],[s|_])], [t] , [s] ) 

Step 5. search on the first goal targeted on the third element 

L = dvar([], [a| dvar ( [] , [t I dvar ( [] , [s I _] )] , [s] )] , [t] , [s] ) 

Step 6. search on the second goal targeted on the third element 
L = dvar([], [a| dvar ( [] , [t] , [s] )] , [t] , [s] ) 

This represents the final solution for L. That is, 

L can be either [] , [a] , [a,t] , [a,s] , [t] , or [s] . 

From this example, we have shown how a nested domain variable is used as 
a communication channel between non-determinate computations. 

We believe that the nested domain variable is a useful data structure not 
only for Prolog-type programs but also for finite domain constraint programs. 
We use a simple job scheduling example to explain this in more detail. 

Suppose that two jobs need to be scheduled. Finite domain variables Stl and 
St2 represent the start times (non-negative integers) of jobl and job2. We know 
that jobl’s duration is 5 hours and job2’s duration is 2 hours. Assume that the 
two jobs have to be done within a maximum duration of 7 hours. These can be 
expressed by the inequalities: 

St 1+5 =< 7 and St2+2 =< 7. 

At this point, after evaluating these inequalities, we have two reduced do- 
mains: 

Stl e {0,1,2} and St2 e {0, 1 , 2 ,3,4, 5}. 

If we further assume that the two jobs have to share the same resource, this 
can be expressed by a non_overlap constraint: 

non_overlap(Stl , St2):- Stl+5 =< St2; St2+2 =< Stl. 

That is, we either do not start job2 until jobl has finished or do not start 
jobl until job2 has finished. 

The non_overlap constraint consists of two disjunctive inequalities, so it 
cannot be checked determinately. With current constraint programming tech- 
niques, this can be handled by a lookahead algorithm m2\, which enumerates 
the domain values of Stl and St2 and removes impossible values from the two 
domains. In our example, after we test non_overlap constraints using lookahead, 
we can discover that there are only two possible pairs: 

(Stl = 0, St2 = 5), or 

(Stl = 2, St2 = 0). 
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In current constraint programming systems, the result from the lookahead 
algorithm reduces each domain individually. Therefore, we now have 

Stl e {0,2} and St2 e {0,5}. 

Although this has greatly reduced both domains, a much tighter constraint, 
(Stl,St2) G {(0,5) , (2,0)} 
has been lost. 

By introducing nested domain variables, we can represent several domains 
together as a tuple; Stl and St2 can be paired as S = (Stl,St2). Then, after 
the targeted search on the non_overlap constraint, we will obtain: 

S = dvar((0,5) , (2,0)). 

No information is lost. non_overlap(Stl,St2) will terminate, whereas with two 
separate domains the goal non_overlap(Stl,St2) would have to suspend. 

One might question whether it is really necessary to maintain this kind of 
relation between several domains. To further demonstrate its advantage, let us 
assume that in the above example a new constraint, Stl =< St2, is imposed 
later on. If the system knows 

Stl G {0,2} and St2 G {0,5}, 

the constraint Stl =< St2 cannot discover any impossible values. However, if 
the system knows 

(Stl,St2) G {(0,5) , (2,0)} 

it can immediately remove the impossible pair (2,0) and produce determinate 
bindings for Stl and St 2. 

Another question is whether it is practical to use a nested domain variable 
combining many variables together. A nested domain might grow exponentially. 
During our experiment (Sectional) , we tested a program which produces a deeply 
nested domain whose size is greater than 2^®. It did increase the running time, 
but did not run of memory. 



4 Implementation 



We are interested to see whether our model is feasible. As a first experiment, 
we decided to use SICStus Prolog, a well established Prolog system, rather than 
develop a low-level implementation. SICStus Prolog has a powerful coroutine 
facility and provides a special library, the attribute variable library m, which 
allows us to define destructively assigned variables. 
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4.1 Program Transformation 

We need to transform an ordinary Prolog program into different code such that 
the program will be executed as if it is run under our model. This is not a 
problem because goal suspension can be easily implemented in SICStus Prolog. 

We discuss how to compile a program into its targeted search form. For 
“shallow” programs (e.g., database-type programs), this is very straightforward. 
All we need to do is check whether the targeted search condition is met and, if 
so, we check whether the targeted variable is already a domain variable or still 
a free variable. This leads to two different types of code: in the first case we do 
forward checking, while in the second case we simply use findall or bagof to 
collect all solutions and return them as a domain. 

For recursive programs, we need to generate special code which performs 
targeted search incrementally. This requires some program analysis and maybe 
some user annotations. Going back to our sublist example, provided the com- 
piler knows that the first element in the first argument is the target, it can 
identify that the body goal in the second clause should be stopped. Similarly, it 
can also identify that the recursive goal in the third clause must be carried on 
because the head unification does not produce any output on the first argument. 

The following is the transformed sublist used for targeted search: 
sublist_local_search( [] , [] , true) . 

sublist_local_search( [X I L] , [X|L1] , sublist_local_search(L,Ll,_)) . 
sublist_local_search(L, [_|L1] , SusGoal) :- 

sublist_local_search(L,Ll , SusGoal) . 

Comparing this code with the original code, we can see that they are almost 
identical except for the following two changes. First, we added an extra argument 
(the third argument) which returns the suspended goals, if any. In other words, 
the new argument indicates where the computation should continue when the 
next local search is performed. Another change is that the recursion in the second 
clause is removed but is returned as a suspended goal. 



4.2 Implementing Domain Variables 

Domain variables are implemented by using attributed variables m provided 
in SICStus Prolog. An attributed variable can be associated with arbitrary at- 
tributes. Moreover, these attributes can not only be updated but also are back- 
trackable. 

We have already shown how nested domain variables are structured in the 
sublist example. As well as a set of values, our domain variable can also be 
associated with some suspended goals, so we have an extra slot to store this. 
The actual domain variable in our implementation has the following structure: 



620 R. Yang and S. Gregory 



dvar ( (Value 1 ,GoalListl) , (Value2 ,GoalListl) , . . . ) 

Another issue is how to deal with unification after introducing nested domain 
variables. Unification between two nested domain variables is carried out by per- 
forming an intersect operation recursively along the nested structure. Unification 
between a nested domain variable and a ground term is also very easy. We sim- 
ply follow the ground term to trim out all incorrect values in the nested domain. 
The tedious part is to unify a nested domain with a non-ground structure. For 
example, consider a domain variable 

L = dvar ( [2+dvar( [4,5] ) ,3+dvar( [6,7] )] ), 

which represents four possible expressions: 

2+4 , 2+5 , 3+6 , and 3+7 

When L is unified with X+Y, we can produce 

X = dvar ([2,3]) and Y = dvar ( [4, 5,6,7] ). 

but we cannot terminate this unification at this point because, if either X, Y, or 
L changes its domain, we need to check it again. That is, we have to keep L=X+Y 
suspended and resume it when the domain of any of the variables is reduced. 



5 Some Results 

We have developed code to support nested domain variables, and tested our 
model with a few simple programs: three database examples and three string 
comparison examples. The results are summarized in Figure [21 

The database examples are from the world geography database, databasel 
is the query discussed in Section 13.21 and the other two are similar queries to 
databasel. protein_seq takes three protein sequences and searches for common 
subsequences between them. reverse_list is to find common sublists between 
two reversed list, while same.list is a query which looks for all common sublists 
between two identical lists. 

The machine used for testing is a Pentium II PC. All programs were compiled 
and run under SICStus 3.6 (Linux version). As database queries are quite fast, 
we tested them by repeating 10 runs as well as by a single run. 

As the above table shows, apart from the last one, all transformed programs 
are much faster under our model than the original programs. We know that for 
the first five programs the search space (i.e., the number of inferences) is greatly 
reduced under our model. However, we were not sure whether the overhead for 
supporting the model is too big to make the model feasible. The above results 
are very encouraging. 

We deliberately chose the last example, same_list, because it is a special 
case where our model cannot provide any advantage. In its original program, all 
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under Prolog’s control 


under our model 


databasel 


110 


30 


same prog. 10-run 


580 


150 


database2 


20 


10 


same prog. 10-run 


120 


55 


databases 


50 


20 


same prog. 10-run 


310 


135 


protein _seq 


13510 


1910 


reversedJist 


2780 


20 


sameJist 


10370 


29500 



Fig. 2. Test Results (time in millisecond) 



possible sublists (a total of 2^®) are generated and tested one by one through 
backtracking. In our model, a nested domain variable has to be constructed, 
comprising a tree with 2^® nodes. This requires huge memory space, which is 
why its run time ends up about 3 times slower. Programs like sajne_list are 
very rare, so we believe that the result here does not really represent a drawback 
of the model. 



6 Related Work 

The idea of using local computation has a long history and has been applied in 
many areas. Within the logic (and constraint) programming discipline, a well 
known form of local computation is lookahead 1121 . based on the classic idea of 
arc consistency |7|. Our targeted search is similar to lookahead in all but a few 
respects. Under constraint programming, lookahead is used to reduce existing 
domains. In our case, we also use it to generate a domain for an unbound logical 
variable as well as to restrict a domain. Most importantly, in our targeted local 
search, we aim to achieve a general form of lookahead which can not only check 
arc consistency but also incrementally check path consistency. 

In AKL implementations m, a form of local search is provided, which is 
similar to our proposed targeted search in many respects. Perhaps the main 
difference is at the language level: AKL’s local search has to be explicitly defined 
by using deep guards, while we aimed to make it more flexible. 

In our model, a variable can be dynamically changed to a domain variable. 
A similar idea has also been proposed in the past m- However, our domain 
variables have the unique feature that a domain can be nested inside another 
domain. Another difference from [T] is that the domain information is extracted 
from the head unification in |T], while we also extract domains from local com- 
putation. 
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7 Conclusion and Future Work 

This work has investigated issues in how to provide better control for logic 
programs such that the efficiency of programs can be improved. Our starting 
point was the Extended Andorra Model. By revising the model, we proposed a 
targeted search, so called because we only look for possible solutions of certain 
specified variables. This targeted search can be simply achieved by Prolog’s 
bagof , so we do not need to use the original and-or box rewriting method, which 
is quite expensive. It is hoped that this revised model can be easily implemented 
in a stack-based system. 

In our model, variables shared between different computations can be dy- 
namically changed to finite domain variables after the local search, and their 
consistency can be checked eagerly. 

One important outcome from this work is the notion of nested domain vari- 
ables. We introduced a special domain which can contains non-ground compound 
terms, i.e., open structures. Variables within these open structure can become 
domain variables. A nested domain can keep information on the Cartesian prod- 
uct of several domains. With our current implementation, the Cartesian product 
is represented as a tree structure. Nested domains can be exploited not only in 
Prolog-type programs but also in finite domain constraint programs. 

We have tested our idea by an experimental implementation under SICStus 
Prolog. Nested domain variables are implemented by using the attributed vari- 
ables of SICStus Prolog. The experimental results confirm the expected benefits. 

As future work, we would like to investigate the following issues: 

— We need to study in more detail how nested domain variables can be applied 
to finite domain constraint programs. For instance, we may need some clear 
rules to select which variables should be grouped as a tuple, i.e., represented 
as a nested domain. 

— We are interested in designing some kind of user declarations for specifying 
the targeted search condition. We will study the language HAL [2], which 
has introduced various user annotations. 
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Abstract. We introduce an abductive method for coherent composition 
of distributed data. Our approach is based on an abductive inference 
procedure that is applied on a meta-theory that relates different, pos- 
sibly inconsistent, input databases. Repairs of the integrated data are 
computed, resulting in a consistent output database that satisfies the 
meta-theory. Our framework is based on the A-system, which is an ab- 
ductive system that implements SLDNFA-resolution. The outcome is a 
robust application that, to the best of our knowledge, is more expressive 
(thus more general) than any other existing application for coherent data 
integration. 



1 Introduction 

In many cases complex reasoning tasks have to integrate knowledge from multiple 
sources. A major challenge in this context is to compose contradicting sources of 
information such that what is obtained would properly reflect the combination 
of the distributed data on one hanc0, and would still be coherent (in terms of 
consistency) on the other hand. 

Coherent integration and proper representation of amalgamated data is ex- 
tensively studied in the literature (see, e.g., |lldl7ll3ll4l2()l21l22l23l2f)l2n] ). Com- 
mon approaches for dealing with this task are based on techniques of belief re- 
vision m, methods of resolving contradictions by quantitative considerations 
(such as “majority vote” [21]) or qualitative ones (e.g., defining priorities on 
different sources of information or preferring certain data over another mm)- 
Other approaches are based on rewriting rules for representing the information in 
a specific form m, or use multiple-valued semantics (e.g., annotated logic pro- 
grams [I28I29| and bilattice-based formalisms jl2l22j ) together with non-classical 
refutation procedures [11119128] that allow to decode within the language itself 
some “meta-information” such as confidence factors, amount of belief for/against 
a specific assertion, etc. 

Each one of the techniques mentioned above has its own limitations and/or 
drawbacks. For instance, in order to properly translate the underlying data to 
a specific form, formalisms that are based on rewriting techniques must assume 

^ This property is sometimes called compositionality, see, e.g., | 30| . 
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that the underlying data (or some part of it, such as the set of integrity con- 
straints) has a specific syntactical structure. Other formalisms (e.g., that of [20]) 
are based on propositional languages, and so in both cases the expressiveness 
is limited. In some of the non-classical formalisms mentioned above (e.g., those 
that are based on annotated logics and several probabilistic formalisms), seman- 
tical notions interfere with the syntax. Moreover, in many of these frameworks 
syntactical embeddings of first-order formulae into non-classical languages are 
needed. Such translations may damage or bias the intuitive meaning of the orig- 
inal formulae. Finally, some of the approaches mentioned above are not capable 
of resolving contradictions unless the reasoner specifies his/her preferences. In 
other approaches, the mechanism of resolving contradictions is determined in 
advance, or is ad-hoc (thus it is oriented towards specific kinds of problems). 
This interference necessarily reduces the flexibility and the generality of the 
corresponding mediative engine. 

In this paper we start from the perspective of a pure declarative representa- 
tion of the composition of distributed data. This approach is based on a meta- 
theory relating a number of different (possibly inconsistent) input databases with 
a consistent output database. The underlying language is that of ID-logic |^, 
which can be embedded in an abductive logic program. Our composing system 
is implemented by the abductive solver the, M-system [^. In the context of 
this work, we extended this system with an optimizing component that will al- 
low us to compute preferred coherent solutions to restore the consistency of the 
database. 

Our approach is related to other work on the use of abduction in the context 
of databases. m proposed to use abduction for database updating. [15l27j de- 
veloped a framework for explaining or unexplaining observations by an extended 
form of abduction in which arbitrary formulas may be added or formulas of the 
theory may be removed. In this paper, the focus is on a different application of 
abduction, namely composition and integrity restoration of multiple databases. 

By this declarative approach we are able to overcome some of the shortcom- 
ings of the amalgamating techniques mentioned above. In particular, our system 
has the following capabilities: 



1. Any first-order formula may be specified for describing the domain of dis- 
course (as part of the integrity constraints). Thus, to the best of our knowl- 
edge, our approach is more general and expressive than any other available 
application for coherent data integration. 

2. No syntactical embeddings of first-order formulae into different languages 
nor any extensions of two-valued semantics are necessary. Our approach is 
based on a pure generalization of classical refutation procedures. 

3. The way of keeping the data coherent is encapsulated in the component that 
integrates the data. This means, in particular, that no reasoner’s input nor 
any other external policy for making preferences among conflicting sources 
is compulsory in order to resolve contradictions. 
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In the sequel we show that our system is sound, complete, and supports 
various types of special information, such as timestamps and source tracing. We 
also discuss implementation issues and provide some experimental results. 



2 Coherent Composition of Knowledge-Bases 

2.1 Problem Description 

Definition 1. A knowledge-base ICB is a pair (T>, IC), where T> (the database) 
is a set of atomic formulae, and XC (the set of integrity constraints) is a finite 
set of first order formulae. 

As usual in such cases, we apply the closed world assumption on databases, 
i.e., every atom that is not mentioned in the database is considered false. The 
underlying semantics corresponds, therefore, to minimal Herbrand interpreta- 
tions. 

Definition 2. A formula ip follows from a database T> if the minimal Herbrand 
model of T> is also a model of if. 



Definition 3. A knowledge-base ICB—{'D, XC) is consistent if all the integrity 
constraints are consistent, and each one follows from V. 

Our goal is to integrate n consistent knowledge-bases, JCBi = {T>i, XCi), i = 
1, ... n, to a single knowledge-base in such a way that the data in this knowledge- 
base will contain everything that can be deduced from one of the sources of 
information, without violating any integrity constraint of another source. The 
idea is to consider the union of the distributed data, and then to restore its 
consistency. A key notion in this respect is the following: 

Definition 4. [TT] A repair of K.B={T>^ XC) is a pair (Insert, Retract) such that 
Insert n Retract = 0, Insert fl 2? = ^ Retract C V, and every integrity constraint 
follows from T> U Insert \ Retract. 0 

{V U Insert \ Retract , XC) is called a repaired knowledge-base of ICB. 

As there may be many ways to repair an inconsistent knowledge-base, it is 
often convenient to make preferences among the repairs and to consider only the 
most preferred ones. Below are two common preference criteria. 

Definitions. Let (Insert, Retract) and (Insert', Retract^) be two repairs of a 
given knowledge-base. 

— set inclusion preference criterion : 

(Insert', Retract') <; (Insert, Retract) if Insert C Insert' and Retract C Retract'. 

^ I.e., Insert are elements that should be inserted into T> and Retract are elements that 
should be removed from T> in order to obtain a consistent knowledge-base. 
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— cardinality preference criterion: 

(Insert^ Retract') <c (Insert, Retract) if |lnsert| + |Retract| < |lnsert'| + |Retract'|. 
Let < be a semi-order on the set of repairs, expressing a preference criterium. 

Definition 6. [M] A <-preferred repair of a knowledge-base K-B is a repair 
(Insert, Retract) of ICB s.t. there is no other repair (Insert', Retract') of ICB for 
which (Insert, Retract) < (Insert', Retract'). H 



Definition 7. The set of all the <-preferred repairs of a knowledge-base ICB is 
denoted by \{1CB, <). 



Definition 8. A < -repaired knowledge-base of K.B is a repaired knowledge-base 
of K.B, constructed from a <-preferred repair of K.B. The set of all the <-repaired 
knowledge-bases of KB is denoted by 

TZ{KB, <) = { (25 U Insert \ Retract , 2C) \ (Insert, Retract) G \{KB, <) }. 

Note that if KB is consistent and the preference criterion is a partial order and 
monotonic in the size of the repairs (as in Definition |5) , then TZ{KB^ <) = {KB}, 
i.e., KB is the (only) <-repaired knowledge-base of itself, and so there is nothing 
to repair in this case, as expected. 



Definition 9. For KBi = {T>i, XCi), i = 1, . . . n, let UKB = ([J T>i, XCi). 

i=l i=l 

In the rest of this paper we describe a system that, given n distributed 
knowledge-bases and a preference criterion <, computes the set TZ{UKB, <) of 
the <-repaired knowledge-bases of UKB. The reasoner may use different strate- 
gies to determine the consequences of this set. Among the common approaches 
are the skeptical (conservative) one, that it is based on a “consensus” among 
all the elements of TZ{UKB,<) (see |H|), a “credulous” approach in which en- 
tailments are decided by any element in TZ{UKB, <), an approach that is based 
on a “majority vote”, etc. A detailed discussion on these methods and ways of 
assuring the consistency of the composed data in each method, will be presented 
elsewhere. 

We conclude this section by noting that in the sequel we shall assume that 
XC = consistent. This is a usual assumption in the literature and 

it is justified by the nature of the integrity constrains as describing statements 
that are widely accepted. Thus, it is less likely that integrity constraints would 
contradict each other. Contradictions between the data in the different KB’s and 
integrity constraints are more frequent, and may occur due to many different 
reasons. In the next section we consider some common cases. 



® In [l4| this notion is defined for the specific case where the preference condition is 
taken w.r.t. set inclusion. 
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2.2 Examples 

In all the following examples we use set inclusion as the preference criterion0 

Example 1 . Example 1] Consider a distributed knowledge-base with rela- 
tions of the form teac/ies(course_n£mie, teachermaune). Suppose also that each 
knowledge-base contains a single integrity constraint, stating that the same 
course cannot be taught by two different teachers: 

IC = { 'iX'iTiZ (teaches{X, Y) A teaches{X, Z) Y = Z)}. 

Consider now the following two knowledge-bases: 

K.Bi = {{teaches{ci,ni), teaches{c2,n2)}, YC), 

ICB2 = {{teaches{c 2 ,ri 3 )}, IC) 

Clearly, K.B1UK.B2 is inconsistent. Its preferred repairs are (0, {teaches{c2, «2)}) 
and (0, {teaches{c2, n^)}) . Hence, the two repaired knowledge-bases are: 

TZi — { {teaches{ci,ni), teaches{c2,n2)}, EC), and 
{ {teaches{ci,rii), teaches{c2,ri3)}, IC). 



Example 2 . [TH Example 2] Consider a distributed knowledge-base with rela- 
tions of the form suppZ?/(supplier, department, item) and cZass(item, type). 
Let 

tCBi = {{supply{ci,di,ii), class{ii,ti)}, IC), and 
JCB2 = {{supply{c2,d2,i2), class{i2,ti)}, 0), where 
IC = { VXVYVZ {supply {X, Y, Z) A dass{Z, h) ^ X = ci)} 
states that only supplier Ci can supply items of type ti . 

ICBi \JKB2 is inconsistent and has two preferred repairs: (0, {supply{c2, ^2, *2)}) 
and (0, {c/ass(i2, ii)})- Hence, there are two ways to repair it: 

TZi = {{supply{ci,di,ii), class{ii,ti), class{i2,ti)}, IC), 

E.2 = {{supply {ci,di,ii), supply{c2,d2,i2), class{ii,ti)}, IC). 



Example 3 . [21 Example 4] Let T>i = {p{a), p{b)},T>2 = {q{a), 9(c)}, and IC = 
{VX(p(X)— >-9(X))}. Again, {'Di,%)VJ{T>2,IC) is inconsistent. The corresponding 
preferred repairs are ({9(6)}, 0) and (0, {p(6)}). The repaired knowledge-bases 
are therefore the following: 

"^1 = ( P{b), q{a), q{b), 9(c)}, IC ), 

7^2 = ( {p{a), q{a), 9(c)}, IC). 



^ Generally, in what follows we shall fix a preference criterion for choosing the “best” 
repairs and omit its notation whenever possible. 
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3 Knowledge Integration through Abduction 

In this section we introduce an abductive method for a coherent integration of 
knowledge-bases. Our framework is composed of a language for describing the 
problem domain (ID-logic, |9]), an abductive solver that is based on an abductive 
refutation procedure (SLDNFA, [10]), and a computational model for controlling 
the search (A-system [18] '). 

3.1 ID-Logic and Abductive Logic Programming 

ID-logic jo] is a framework for declarative knowledge representation that extends 
classical logic with inductive definitions. This logic incorporates two types of 
knowledge: definitional and assertional. Assertional knowledge is a set of first 
order statements, representing a general truth about the domain of discourse. 
Definitional knowledge is a set of rules of the form p^B, in which the head p is 
a predicate and the body S is a first order formula. A predicate that does not 
occur in any head is called open (sometimes called abducible). 

Below we present an ID-logic meta-theory describing the composition of 
databases in terms of open predicates insert and retract. The key property 
of this theory is that its abductive solutions describe the coherent compositions. 
Abductive reasoning on an ID-logic theory can be performed by mapping it into 
an abductive logic program [Bj under the extended well-founded semantics PH 
and applying an abductive inference procedure to it. An abductive logic program 
(ALP)) is a triple T = (P, A,IC), such that 

— P is a logic program, the clauses of which are interpreted as definitions for 
the predicates in their head, 

— A is a set of predicates, none of which occurs in the head of a clause in V. 
The elements in A are called the abducible predicates. 

— IC is a set of first-order formulae, called the integrity constraints. 

Constants, functors and predicate symbols are defined as usual in logic programs. 

Definition 10. An (abductive) solution for a theory (V,A,IC) and a query 
Q is a set A of ground abducible atoms, all having a predicate symbols in A, 
together with an answer substitution 6, such that: (a) V U A is consistent, (b) 
VUA^IC, and (c) P U Z\ ^ VQ6». 

In what follows we use ID-logic to specify the knowledge integration, and 
implement the reasoning process by an abductive refutation procedure. For this 
we represent any data in some distributed database by a predicate db, and 
denote the elements in the composed database by the predicate fact. The latter 
predicate is defined as follows: 

fact(X) :- db(X), not retract(X). 
fact(X) :- insert (X). 

In particular, in order to restore consistency, some facts may be removed 
and some other facts may be introduced. These facts are represented by the 
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(abducible) predicates retract and insert, respectively. To assure proper com- 
putations of the solutions, the following integrity constraints are also specified0 

— An element cannot be retracted and inserted at the same time: 
ic insert (X), retract (X). 

— An inserted element should not belong to a given database: 
ic :- insert(X), db(X) . 

Assuming that all the integrity constraints of the distributed knowledge- 
bases are compatible and that no distinctions are made among the origins of the 
composed facts, the following steps are performed: 

1. Each database fact X is represented by an atom db(A). 

2. Every occurrence of an atom P in some integrity constraint is replaced by 
fact(P). This is done in order to assure that every integrity constraint would 
hold for the composed data as well. 

3. A solution is computed in terms of the abducible predicates insert and 
retract. 

3.2 The .4.-System 

The reasoning process of our revision system is performed by the A-system, 
introduced in m- The basic idea of this system is a reduction of a high level 
specification into a lower level constraint store, which is managed by a constraint 
solver. The system is a synthesis of the refutation procedures SLDNFA {TU] and 
ACLP [17] , together with an improved control strategy. The latest version of the 
system can be obtained from http://www.cs.kuleuven.ac.be/~dtai/kt/. It 
runs on top of Sicstus Prolog 3.8.5. Below we sketch the theoretical background as 
well as some practical considerations behind this system. For more information, 
see |in] and [T^ . 

Abductive inferences. Given an abductive theory {V, A,IC) as defined above, 
the logical reduction of a query Q can be described as a derivation for Q through 
a rewriting state process. A state S consists of two types of elements: a set Pos(5) 
of literals (possibly with free variables), called positive goals, and a set Neg(5) 
of denials, called negative goals. The set A(5) denotes the abducible atoms in 
S, i.e. positive goal atoms whose predicate is an abducible. C{S) denotes the set 
of constraint atoms in S. 

A rewriting derivation proceeds from state Si by selecting a literal of Si and 
applying a suitable inference rule, yielding a new state 5i+i. The main inference 
rules are given by the following rewrite rules. In the list below we denote by 
A and B some literals, and by C a constraint literal. P denotes the theory 
under consideration. For readability, we do not mention cases in which Pos(5) 
or Neg(5) is the same in states number i and i + 1. 

— Rules for defined predicates: 

® In what follows we use the notation “ic B” to denote the denial “false e- B”. 
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• if A{X) •<— Bj[X\ C V and A(t) C Pos(5i), then Pos(5i+i) = Pos(5i) \ 
{A{i)}U{B,[t]}. 

• if ^ A{t),Q G Neg(5j), then Neg(5i+i) = Neg(5i) \ A{t),Q} U U, 

where U = Bj\^,Q \ A{t) ^ Bj[t] G V}. 

— Rules for open predicates: 

• if ^ A(t),Q G Neg(5i) and p{s) G A{Si) then Neg(5*+i) = Neg(5i) \ 
A{t),Q} U {[/} U {R}, where U =•<— t = s,Q, and R =•<— A(t),i ^ s,Q. 

— Rules for negations: Assume that A is not a constraint literal. 

• if ->A G Pos(iSi) then Pos(5i+i) = Pos(5i) \ {“■A} and Neg(5i+i) = 
Neg(5i) U {■<— A}. 

• if •«— -'A, Q G Neg(5i) then one of the following branches is taken: 

1. Pos(5j+i) = Pos(5j) U {A} and Neg(5*+i) = Neg(5*) \ -lA, Q}. 

2. Neg(iSi+i) = Neg(iSi) \ {•<— ->A, Q} U {•<— A, -4— Q}. 

— Rules for constraint literals: 

• if ^ C, Q G Neg(iSi) then one of the following branches is taken: 

1. Pos(5j+i) = Pos(5j) U {-iC}, Neg(5i+i) = Neg(5i) \ {^C, Q}. 

2. Pos(5j+i) = Pos(5j)U{C'}, Neg(5i+i) = Neg(5i)\{^C',Q}U{^Q}. 
Remark: It is important here to assume that the underlying constraint 
solver is capable of handling negated constraint literals. This is indeed 
the case with the constraint solver used by our system (Sicstus). 

The initial state Sq for a theory V and a query Q consists of the query Q 
as a positive goal and the set of all denials in V as negative goals. A successful 
state S fulfills the following conditions: 

1. S contains positive goals only of the form of abducible atoms or constraint 
atoms, 

2. negative goals in S are denials containing some open atom p(t) which has 
already been selected and resolved with each abduced atom p{s) G S, and 

3. the constraint store C(5) of S is satisfiable. 

Definition 11. A successful abductive derivation of a query Q w.r.t. V is & 
sequence of states Sq, Si, . . . , where: (a) Sq is an initial state for V and 
Q, (b) For every 0<z<n — 1, 5i+i is obtained from Si by applying one of the 
transition rules, and (c) Sn is a successful state. 

Whenever false is derived (in one of the constraint domains) the derivation 
backtracks. A derivation flounders when universally quantified variables appear 
in a selected negated literal in a denial. 

Let Sn be a final state of a successful derivation. Then any substitution 0 
that assigns a ground term to each free variable of Sn and which satisfies the 
constraint store C(5„) is called a solution substitution of Such a substitution 
always exists since C{Sn) is satisfiable for a successful derivation. 

Theorem 1. [TH] Let T = (V,A,IC) be an abductive theory s.t. V \= TC, Q 
a query, S the final state of a successful derivation for Q, and 9 a solution 
substitution of S. Then the pair 9{A{S)) and 9 is an abductive solution for T 
and Q. 
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Control strategy. The selection strategy applied during the derivation process 
is crucial. A Prolog-like selection strategy (left first, depth first) often leads to 
trashing, because it is blind to other choices and it does not result in a global 
overview of the current state of the computation. In the development of the 
A-system the main focus was on the improvement of the control strategy. The 
idea is to apply first those rules that have a deterministic change of the state, and 
so information is propagated. If none of such rules are applicable, then one of the 
left over choices is selected and a choice is made. This resembles a CLP-solver, in 
which the constraints propagate their information as soon a choice is made. This 
propagation yields less amount of choices and thus often dramatically increases 
the performance. 



3.3 Implementation and Experiments 

In this section we present the structure of our system, discuss a few implemen- 
tation issues, and give some experimental results. 



The structure of the system. Figure [H shows a layered description of the 
implemented system. The upper most level consists of the data to be integrated, 
i.e., the database information and the integrity constrains. This layer together 
with the composer form an ID-Logic theory that is processed by the A-system. 

The composer consists of the meta-theory for integrating the distributed data 
in a coherent way. It is interpreted here as an abductive theory, in which the 
abducible predicates provide the information on how to restore the consistency 
of the amalgamated data. 

The abductive system (enclosed by dotted lines in Figure HD consists of three 
main components: A finite domain constraint solver (the one of Sicstus Prolog), 
an abductive meta-interpreter (described above), and an optimizer. 

The optimizer is a component that, given a preference criterion on the space 
of the solutions, computes only the most-preferred (abductive) solutions. Given 
such a preference criterion, this component prunes “on the fly” those branches of 
the search tree that lead to worse solutions than what we have already computed. 
This is actually a branch and bound “filter” on the solutions space that speeds- 
up execution and makes sure that only the desired solutions will be obtained. If 
the preference criterion is monotonic (in the sense that from a partial solution 
it can be determined whether it potentially leads to a solution that is not worse 
than a current one), then the optimizer is complete, that is, it can compute all 
the optimal solutions (see also Section 13. 4t . 

Note that the optimizer is a general component added to the A-system. Not 
only this domain benefits, but it is useable in other application domains like e.g. 
planning. 



Experimental study. Figure [21 contains the code (data section -|- composer) 
for implementing Example [T] (The codes for Examples and [2] are similar) . We 
have executed this code as well as other examples from the literature in our 



Coherent Composition of Distributed Knowledge-Bases through Abduction 633 



ID-Logic 

Theory 



Abductive 

System 




t 

User Input 



Composing 

System 



Fig. 1. A schematic view of the system components. 



system. As Theorem O below guarantees, the output in each case was the set of 
the most preferred solutions of the corresponding problem. 

3.4 Soundness and Completeness 

In this section we give some soundness and completeness results for our system. 
In what follows we denote by T an abductive theory in ID-logic, constructed 
as describe above for composing n given knowledge-bases /CSi, . . . ,K.Bn- Also, 
ProcALP denotes some sound abductive proof procedure (e.g., SLDNFA m)- 

Proposition 1. Every abductive solution that is obtained by ProcALp for a the- 
ory T is a repair ofWCB. 

Proof: By the construction of T it is easy to see that all the conditions specified 
in Definition |4] are met: the first two conditions are assured by the integrity 
constraints of the composer. The third condition immediately follows from the 
composer’s rules. The last condition is satisfied since by the soundness of ProcALp 
it produces abductive solutions Ai for T, thus by the second property in Defini- 
tion[ini for every such solution Ai = (Insert^, Retracti) we have that VUAi ^ XC. 
Since V contains a data section with all the facts, it follows that VVJ Ai\^ XC, 
i.e. every integrity constraints follows from V U Insert^ \ Retract^. □ 

Theorem 2. (Soundness) Every output that is obtained by running T in 
the A-system together with a <c-optimizer [respectively, together with an <i~ 
optimizer] is a <c~preferred repair [respectively, an <i~preferred repair] ofWCB. 
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/* Composer: 

dynamic ic/0, fact/1, db/1. 

abducible (insert (_) ) . 
abducible (retract (_) ) . 

fact(X) db(X), not (retract (X) ) . 

fact(X) insert (X). 

ic insert (X), db(X) . 

ic insert (X), retract (X). 

/* Example 1 : 

D1 
D2 
IC 



db(teaches (1 , 1) ) . db (teaches (2,2) ) . °/, 

db(teaches (2 ,3) ) . °/, 

ic fact (teaches (X,Y) ) , f act (teaches(X, Z) ) , Y\=Z. °/, 



Fig. 2. Code for Example [T| 



Proof: Follows from Proposition[T] (since the ,/l-system is based on SLDNFA that 
is a sound abductive proof procedure), and the fact that the <c-optimizer prunes 
paths that lead to solutions which are not <c-preferable. Similar arguments hold 
for systems with an <i-optimizer. □ 

Proposition 2. Suppose that the query '■<— true’ has a finite SLDNFA-tree 
w.r.t. T. Then every <c-preferred repair and every <i~preferred repair ofUKB 
is obtained by running T in the A-system. 

Outline of proof: The proof that all the abductive solutions with minimal car- 
dinality are obtained by the system is based on [TOl Theorem 10.1], where it is 
shown that SLDNFA°, which is an extension of SLDNFA, aimed for computing 
solutions with minimal cardinality, is complete (see [lOl Section 10.1] for further 
details). Similarly, the proof that all the abductive solutions which are mini- 
mal w.r.t. set inclusion are obtained by the system is based on m3 Theorem 
10.2] that shows that SLDNFA+, which is another extension of SLDNFA, aimed 
for computing minimal solutions w.r.t. set inclusion, is also complete (see |101 
Section 10.2] for further details). 

Now, A-system is based on the combination of SLDNFA° and SLDNFA_|_. 
Moreover, as this system does not change the refutation tree (but only controls 
the way rules are selected). Theorems 10.1 and 10.2 in jlO] are applicable in our 
case as well. Thus, all the <c- and the <i-minimal solutions are produced. This 
in particular means that every <c-preferred repair as well as every <i-preferred 
repair of WCB is produced by our system. □ 

Theorem 3. (Completeness) In the notations of Proposition [E and under its 
assumptions, the output of the execution of T in the A-system together with a 
<c~optimizer [respectively, together with an <i~optimizer] is exactly \{WCB,<c) 
[respectively, IfUICB, <i)]. 



Coherent Composition of Distributed Knowledge-Bases through Abduction 635 



Proof: We shall show the claim for the case of <c', the proof w.r.t. <j is similar. 

Let (Insert, Retract) G \(p(ICB,<c). By Proposition |2] A — (Insert, Retract) 
is one of the solutions produced by the ^-system for T. Now, during the ex- 
ecution of our system together with the <c-optimizer, the path that corre- 
sponds to A cannot be pruned from the refutation tree, since by our assump- 
tion (Insert, Retract) has a minimal cardinality among the possible solutions, 
so the pruning condition is not satisfied. Thus A will be produced by the Re- 
optimized system. For the converse, suppose that (Insert, Retract) is some repair 
of WCB that is produced by the <c-optimized system. Suppose for a contradic- 
tion that (Insert, Retract) ^ \{14ICB, <c). By the proof of Proposition E] there is 
some A' = (Insert', Retract') G \{WCB, <c) that is constructed by the ^-system 
for T, and (Insert', Retract') <c (Insert, Retract). But \A'\ < |Z\|, and so the <c- 
optimizer would prone the path of the A solution once its cardinality becomes 
bigger than \A'\. This contradicts our assumption that (Insert, Retract) is pro- 
duced by the <c-optimized system. □ 

4 Handling Specialized Information 

4.1 Timestamped Information 

Many database applications contain temporal information. This kind of 
data may be divided to two types: time information that is part of the 
data itself, and time information that is related to database operations 
(e.g., records on when the database was updated). Consider, for instance, 
birth_day(Johii,15/05/2001)i6/o5/2ooi- Here, John’s date of birth is an instance 
of the former type of time information, and the subscripted data that describes 
the time in which this fact was added to the database, is an instance of the latter 
type of time information. 

In our approach, timestamp information can be integrated by adding a tem- 
poral theory describing the state of the database at any particular time point. 
One way of doing so is by using situation calculus. In this approach a database 
is described by initial information and a history of events performed during the 
database lifetime (see [25] )• Here we use a different approach, which is based on 
event calculus. The idea is to make a distinction between two kinds of events: 
add_db and del_db that describe the database modifications, and the composer- 
driven events insert and retract that are used for constructing database re- 
pairs. In this view, the extended composer has the following form: 
holds_at(P,T) :- initially (P) , not clipped(0,P,T) . 
holds_at(P,T) :- add(P,E), E<T, not clipped(E,P,T) . 
clipped(E,P,T) :- del(P,C), E<C, C<T. 

add(P,T) :- add_db(P,T) . add(P,T) :- insert (P,T) . 

del(P,T) :- del_db(P,T) . del(P,T) :- retract (P,T) . 

ic :- insert(P,T), retract (P ,T) . 
ic :- insert(P,T), add_db(P,T). 
ic :- retract(P,T) , del_db(P,T). 
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In this extended context the integrity constrains must be carefully specified. 
Consider, e.g. the statement that a person can be born only on one date: 
ic holds_at(birth_day(P,Dl) ,T) , holds_at (birth_day(P,D2) ,T) , 
Dly^D2. 

The problem here is that to ensure consistency this constraint must be checked 
at every point in time. This may be avoided by a simple rewriting that ensures 
that the constraint will be verified only when an event occurs: 

ic(birth,T) :- holds_at(birth_day(P,Dl) ,T) , 

holds_at(birth_day(P,D2) ,T) , D1\=D2. 
ic :- add_db(birth_day ,T) , NT = T+1, ic (birth, NT) . 
ic :- del_db(birth_day ,T) , NT = T+1, ic (birth, NT) . 



4.2 Keeping Track of Source Identities 

There are cases in which it is important to preserve the identity of the database 
from which a specific piece of information was originated. This is useful, for 
instance, when one wants to make preferences among different sources, or when 
some specific source should be filtered out (e.g, when the corresponding database 
is not available or becomes unreliable) . This kind of information may be decoded 
by adding another argument to every fact, which denotes the identity of its origin. 
This requires minor modifications in the basic composer, since the composer 
controls the way in which the data is integrated. As such, it is the only component 
that can keep track to the source of the information. 

Suppose, then, that for every database fact we add another argument that 
identifies its source. I.e., db(X,S) denotes that X is a fact originated from a 
database S. The composer then has the following form: 
fact(X,S) :- db(X,S), not retract(X) 
fact (X, composer) :- insert (X) 
ic :- insert(X), db(X,S) 
ic :- insert (X), retract (X) 

Note that the composer considers itself as an extra source that inserts brand 
new data facts. Now it is possible, e.g., to trace information that comes from 
a specific source, make preferences among different sources (by specifying 
appropriate integrity constraints), and filter data that comes from certain 
sources. The last property is demonstrated by the following rule: 

validFact(X) :- fact(X,S), trusted_source (S) where 

trusted_source enumerates all reliable sources of the data. 

4.3 Handling Quantitative Information 

Next we consider a potential way of decoding in the integrated data some quan- 
titative information, such as certainty factors or probabilities. 

Suppose that db(X,i) denotes that fact X holds with probability i. One can 
define a strategy on how to reason with this kind of information, and decode 
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it in the composer. For instance, the composer below uses a conservative policy 
that takes for each fact its lowest probability: 

fact(X,i) db(X,_), not retract (X), i = min{j I db(X,j)} 
fact(X,l) insert(X,l) 
ic insert (X,l), db(X,_) 

ic insert(X,l), retract(X) 

For implementing this kind of program the underlying system should be able to 
compute aggregations (possibly together with recursion). Adding this capability 
to our system is one of the subjects for a future work. 

5 Conclusion and Further Work 

In this paper we have developed a formal declarative foundation for rendering 
coherent data, provided by different knowledge-bases, and presented an applica- 
tion that implements this approach. Like other systems (e.g., 161141201291 1 , our 
system mediates among the sources of information and between the reasoner 
and the underlying data. 

Composing distributed data by a meta-theory in ID-logic yields a robust 
and easily extendable system. Extra meta information about the data facts, 
such as time stamps and source, are easily dealt with by extending the meta- 
theory properly. Due the inherent modularity of the chosen approach, each part 
is independent and can be adapted according to the needs. 

It is important to note that our composing system inherits the functionality 
of the underlying solver. This implies, in particular, flexibility, modularity, easy 
interaction with different sources of information, and the ability to reason with 
any set of first order integrity constraints^ As such, our system may be easily 
modified and extended with addition background knowledge. 

Among the directions for further exploration are dealing with more general 
forms of databases, in which views (or rules) are allowed, and lifting the condi- 
tion that all the integrity constraints are compatible with each other. Another 
important challenge is to extend the capabilities of the abductive system with 
aggregation. This would allow us to integrate different types of databases, and 
would provide means of solving new kinds of problems. 
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Abstract. A simple model of dynamic databases is studied from a modal logic 
perspecitve. A state a of a database is an atomic update of a state /3 if at most one 
atomic statement is evaluated differently in a compared to (5. The corresponding 
restriction on Kripke-like structures yields so-called update logics. These logics 
are studied also in a many-valued context. Adequate tableau calculi are given. 



1 Introduction 

Various approaches employing modal logics for the representation of knowledge and for 
(mechanized) reasoning about data have been investigated. See, e.g., 03I15I6I1OI9I for 
some recent work of relevance to database theory. 

Here we investigate a particularly simple model of (dynamic) databases. The states 
of a database are identified with assignments of truth values to basic propositions. Some 
states are considered as results of updating other states of the database. In other words, a 
binary update relation is defined over the set of possible states. This amounts to defining 
usual Kripke interpretations. Standard normal modal logics arise if we augment classical 
propositional logic (over the signature of basic propositions of the database) with the 
modalities □ and O, interpreted as “in all updated states” and “in some updated state”, 
respectively. However, as we shall see below, interesting deviations from standard modal 
logics are needed to model atomic, i.e. stepwise, updates instead of arbitrary ones. 

Literature on the so-called “update problem” usually aims at formalizing changes 
in databases triggered by arbitrary complex changes in the environment to which the 
database refers. Here however, we want to model only atomic or “single-step ” update^ 
More exactly, each update operation is assumed to change the truth value of at most one 
basic proposition at a time. In general, atomic updates reflect adaption to a changing 
environment (or improved knowledge) only via sequences of such atomic update op- 
erations. However, we think that considering atomic updates leads to a more realistic 
model of the actual computational behavior of dynamic databases. At a fundamental 
level the evolution of any database proceeds in basic steps, each of which corresponds to 
some well defined afomic action fhaf can be performed on a dafabase entry. We aim at a 
conceptually clear as well as technically simple logical model of this aspect of dynamic 
databases. 

* What we call “atomic update” here was called “single-step updates” in a previous — unpublished 
— version of this paper by the first author. This preliminary version of the paper is accessible 
at http : //www. cin.ufpe .br/~wollic/wollic2000/proceedings/. 

R. Nieuwenhuis and A. Voronkov (Eds.): LPAR 2001, LNAI 2250, pp. 639-[653| 2001. 

(c) Springer- Verlag Berlin Heidelberg 2001 
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The subtle constraint on the update relation seems to have dramatic effects for the 
corresponding modal logics; the set of formulas valid in all corresponding Kripke in- 
terpretations is not closed under substitution. In response to this fact we propose to use 
a two-sorted propositional language that allows us to distinguish between “atoms” (ba- 
sic propositions of the database) and genuine propositional variables; and consequently 
between “concrete” and “schematic” statements about data. We define a corresponding 
semantics and provide complete and sound tableau calculi for the resulting logics. 

We generalize this model of atomic dynamic databases to scenarios allowing for 
incomplete and inconsistent information. Replacing classical logic by Belnap’s well- 
known four-valued logic Jlj opens the space for new types of modal operators over 
corresponding update models. Some examples of such distribution modalities express- 
ing properties of updates will be investigated. We claim that in general the concept of 
distribution modalities is a versatile tool to model a broad range of updates in (dynamic) 
databases. A variant of tableaux for finite-valued logics with distribution modalities 
introduced in 0 turns out to be adequate for formalizing reasoning in corresponding 
logics. 

We emphasize that the concepts and results presented here should be considered only 
as a first step in exploring the scope and limits of many-valued Kripke structures and 
distribution modalities in the context of reasoning about dynamic databases. Accordingly, 
we conclude with a list of future topics of research. 

2 Atomic Databases and Kripke Interpretations 

Our first object of investigation is arguably the simplest logical model of a database. 
It refers to a fixed set of atomic units of information (propositions, called atoms) and 
presumes that the only information explicitly contained in the database is which of those 
atomic propositions hold and which do not hold. 

More formally, by a ( classical ) state ( of a database ) we mean a total function of type 
atoms {t,f}, where atoms is a non-empty, countable set of propositional atoms. 
Obviously we can evaluate classical propositional formulas over the signature atoms 
(and standard connectives) with respect to a state a as usual: 

- Va{p) = cx{p), forpG atoms 

- i'a(T) = t and Uq,(_L) = f 

- Va(-'A) = t iff Va{A) = f 

- Va{Ao B) = o{Va{A),Va{B)) 

where o G {A, V, D, =} and o is the classical boolean function associated with the binary 
connective o. In other words, a query is an arbitrary propositional formula A over atoms, 
which receives the answer Va{A) if the database is in state a. 

We are interested in the dynamic structure of a database; i.e., the possible transitions 
from states to states triggered by update operations. As explained above, we focus on 
the — arguably — most elementary type of an update operation: A single application of 
such an update operation changes the truth status of at most one atomic unit of informa- 
tion. Correspondingly, state a' is called an atomic update of a state a if the following 
condition is satisfied: 

(au) a(p) a'(p) for at most one p G atoms. 
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Throughout the paper we will consider atomic updates only, and therefore often drop 
the adjective “atomic.” 

Definition 1. An (atomic-)update model is a pair V = {S, U) where 

- S is a set of states of a database over (a fixed set) atoms, i.e., a set of functions of 

type atoms and 

- U is a binary relation over S, subject to the restriction that Va,a' G S:aUa' 
implies that a' is an atomic update of a. 

We extend the expressibility of the query language by adding to it the modal operators 
□ and O, with the intended meaning “in all (reachable) updates” and “in some (reachable) 
update”, respectively. More exactly — referring to states a of a atomic-update model 
T> = {E, U) — we extend the definition of Va as follows: 

- v^{OA) = t iff V/3 G E: if all j3, then {A) = t, and 

- v^{OA) = t iff 3/3 G E:aUf3 and v^{A) = t. 

This simple logical machinery allows for the expression of statements that refer not 
only to the current state of a database but also to possible updates of a states. 

Example 1. The formula A D OA may be paraphrased as “If the statement A is currently 
validated by the database, then all possible (atomic) updates will still validate A”. Sim- 
ilarly OA A 0-1 yf expresses that A is contingent, i.e., a statement that will be evaluated 
differently in different possible updates of the current state of the database. Likewise we 
can express the fact that there is no possible update of the current state by “-lOT”. The 
statement that for every possible update (of the current state) a further update is possible 
is expressed by “DOT.” 

There is a close connection between states of a database and worlds of a Kripke 
structure where a world (3 is accessible from a world a iff (3 is an atomic update of a. 

Definition 2. A (Kripke) interpretation is a triple A4 = (IT, R, V) where 

- W is a non-empty set of worlds, 

- R is a binary accessibility relation on W, 

- V : P V X kU {t, f } is fl truth value assignment to the infinite set PV o/propositional 

variables. 

The corresponding evaluation function that assigns a truth value to each formula A 

in each world w €W is defined as usual. A4 is a (counter-)interpretation/or a formula A 
ifv^ {A, w) = t [t) for some w G W . A is valid in A4 ifAi is not a counter-interpretation 
for A; i.e., ifv^ {A,w) = tfor all w & W. 



Definition 3. The skeleton T( At) of an interpretation A4 = (IT, R, V) is the undirected 
graph with W as set of nodes and an edge between v,w £W ijfv ^ w and either vRw 
or wRv. We call an interpretation A4 tree-like if its skeleton T(M) is a tree (i.e., a 
connected acyclic graph). 
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Clearly, condition (au) corresponds to condition 

(au') wRv implies V {p, v) y^V {p, w) for at most one p £ P V. 

for Kripke interpretations. We say that an interpretation A4 = (W,Ji,V) fulfills condition 
(au') on a subset P C PV if for all G W: if wRv then V{p,v) = V{p,w) for all 
except at most one p £ P. 

If a Kripke interpretation Ai = {W,R,V) satisfies (au') for all its worlds then it 
corresponds to a (unique) update model T >_\4 = {E, U), where atoms is identified with 
PV, E = {Xp[V{p,w)] I w G W}, and all(3 4=^ vRw where a = Xp[V{p,v)] and 
P = Xp[V {p, ru)] . Conversely, every update model T> corresponds to Kripke interpretation 
A4x> that satisfies (au'). 

By requiring the update relation in a model to fulfill simple properties we can adapt 
our model to databases which obey certain dynamic constraints. For instance, requiring 
the update relation U to be symmetric corresponds to modeling databases for which 
every update is reversible. Similarly in many applications it will be useful to require U 
to be reflexive (corresponding to: the “empty” update operation is always applicable) 
or serial (corresponding to: every state can be updated). Observe however that, e.g., 
transitivity does not in general make sense for atomic updates: the atomic update of an 
atomic update is not expected to be atomic itself. 

Definition 4. The class of all update models is called update K-models. An update model 
is called an update KB-, D-, T-, or TB-model if its update relation is symmetric, serial, 
reflexive, or symmetric and reflexive, respectively. 

3 Concrete versus Schematic Statements 

It might seem as if — so far — we have only described just another view of normal modal 
logic. However, by insisting that the truth value of at most one atom can be changed in 
one update operation we ensured that, e.g., the formula 

F = (pAq) E □(pVg) 

is evaluated true in all states of all models, if p and q are different atoms. By contrast, 
substituting (in F) p for q results in a formula which is false in all states in which p is t 
and where there is an atomic update in which p is f . In other words, the set of formulas 
true in all states of an update model is in general not closed under substitution. 

There is a simple way of recovering closure under substitution: 

Definitions. A formula A is schematically valid in an (atomic-)update model T> = 
(E, U) ifv^ {A') = tfor all substitution instances A' of A and all a £ E. 

The set of formulas that are schematically valid in all update A-models is called 
update-yl (for A £ {K, KB, D, T, TB}). 

By definition, each update-H is closed under substitution. It is easy to see that they are 
also closed under modus ponens and the necessity rule. Therefore they can be considered 
as ordinary modal logics and can be directly compared to the corresponding standard 
logics (which we identify with the sets of formulas valid in all corresponding Kripke 
interpretations). 

Our first main result is the following 
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Theorem 1. For A G {K, KB, D, T, TB}, update- A and (ordinary) A coincide. 

Proof. If a formula is valid in all yl-interpretations then, in particular, it is valid in all 
yl-interpretations satisfying condition (au') for all worlds. Since such interpretations 
correspond to update models it follows that A C update-yl. 

For the converse we prove the following; 

Claim. Every tree-like yl-interpretation A4 = (W,R,V) can be transformed into a A- 
interpretation A4' = {W,R, V) such that condition (au') is satisfied and for aWw GW\ 
v^(A,w) = (A9,w) for all formulas A and some substitution 9. 

The claim implies that if A1 is a counter-interpretation for A then Vm' ^ counter- 
update-model for A9. It is a consequence of the usual tableau-based completeness proofs 
for yl S {K, B, D, T, TB}, that without loss of generality a (counter)-yl-interpretation for 
any formula A may be assumed to be tree-like (Recall DefinitionUand see, e.g., El, but 
also Theorem |3|below.) Therefore update-yl C A follows from the claim. 

To establish the claim, consider the skeleton T{A4) of A4 and define 

diff(((r;,-u;) = \{pGP\ V(p,v) f.V(p,w)}\ 

for each edge (u,u>) in T(M). Obviously, if diffy'^ {v,w) < 1 for all edges (v,w) then 
A4 satisfies the atomic update condition and nothing is left to prove. Since only finitely 
many propositional variables can occur in a single formula A we restrict our attention 
to the assignments in A4 of a finite subset P of PV; more exactly we assume that — at 
the beginning of our construction — V (p, w) = t for all w S VF and all p G PV — P. 

Let diffy(n,w) > 1; then there are two different propositional variables p,qG P 
such that V{p,v) f V{p,w) and V{q,v) f V{p,w). We set 

0 = {p^(e = f),q^if = g)} 

for pairwise different variables e,f,g^ P. We now update the truth value assignment 
U of A4 to an assignment V' such that the following three conditions are satisfied: 

1. diffy (v,vj) < diffy/(z;,r(;), where P' = PU{e,/,(7}, 

2. diffy'^ < diffyY(u,M') for all edges (u,u') in T(M), 

3. Vj^/{A9,u) = for allu GW and all formulas A built up from variables 

in P, where M' = (W,R,V'). 

We start by assigning appropriate truth values to e,f,g in v and w. Without loss of 
generality, we may assume that either 

(a) V{p,v) = V{q,v) = t and V{p,w) = V{q,w) = f, or 

(b) V(p,v) = V(q,w) =t and V (p,w) = V(q,v) = f. 

In case (a) we set V'{e,v) = V'(f,v) = V'(g,v) = V'(e,w) = V'(g,w) = t and 
V'{f,w) = f. In case (b) we set V'{e,v) = V'{f,v) = V{'e,w) = t and V'{g,v) = 

Vff,w) = V'(g,w) = f. In both cases condition [T] is satisfied and vj^/{A9,u) = 

vm (^, u) for u G {f , w}. 
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Observe that p and q are not relevant for evaluating A9\ we may thus set V'{p, u) = 
V'{q,u) = t in all worlds uGW. 

The assignment of truth values to e, /, 5 in worlds u distinct from v and w is defined 
by induction on the distance d{u) to the world v in T(A4); where d(u) is defined as the 
minimal number of edges in a sequence u,Ui,...,Uk,vof adjacent nodes. The induction 
hypothesis is: 

(IH) Conditions El andEl above, are satisfied if we only consider the worlds u GW for 
which d{u) < n. 

(IH) trivially holds for n = 1. 

Let u' be a world with d{u') = n + 1. Since T(A4) is a tree there is a unique u with 
{u’ ,u) in T{Ai) and d{u) = n. By induction hypothesis, we have already defined an 
appropriate assignment to e, f,g in u. To find the appropriate truth values for e, f,g in 
u' we distinguish the following cases. 

(1) V {p, u) = V{q, u) = t. (IH) leaves two possibilities for V' with respect to e, /, g in 
u: 

(1.1) V'{e,u) = V'{f,u) = V'(g,u) = t.Weset C'(e,u') = V{p,u') andV' {f,u') = 
tand V'{g,u') = V{q,u'). 

(1.2) V'{e,u) = V'{f,u) = V'{g,u) = f. We set V'{e,u') = AV{p,u') and 
V'{f,u') = t and V'{g,u') = AV{q,u'). 

(2) V (p, u) —t and V {q, u) — f . Again, (IH) leaves two possibilities: 

(2.1) V'{e,u) = V'{f,u) = t and V'{g,u) = f. V' is like in case (1.1). 

(2.2) V'{e,u) = V'lfju) = f and V'(g,u) = t. V is like in case (1.2). 

(3) V{p,u) — f and V{q,u) = t. Like case (2), except for swapping t and f in the 
assignments to / in u'. 

(4) V{p,u) — f and V{q,u) = f. Like case (1), except for swapping t and f in the 
assignments to / in u'. 

In all cases it easy to check that (IH) holds for n + 1 after the described adjustments. 
Therefore the construction eliminates the particular counter-example to (au') without 
introducing a new one. The whole construction is repeated for each pair (cc, y) of adjacent 
worlds where diffyX (x^y) >1 until (au') is satisfied. {V* is the respective valuation from 
the previous step.) □ 



Remark 1. As is to be expected from the intended semantics of atomic updates update- 
A=A does not hold in general if A is a logic for which the accessibility relation is 
transitive. E.g., one can check that the formula 

F={pAq) D [On_LVD(-.pVg) VOO(pVg)] 

is schematically valid in all atomic-update models with transitive update relation. How- 
ever, it is easy to construct a (Kripke) counter-interpretation with transitive accessibility 
relation for F. (Modulo obvious augmentations of Definitions |4]and[5l) this fact can be 
expressed as update-K4 7 ^ K4. Similarly, the “update counterparts” of K5, S4, S5, etc. 
do not coincide with the respective standard logics. 
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Remark!. Independently of any considerations on update models, Theorem [T| can be 
viewed as a strengthening of the completeness theorem for the standard normal logics 
K, KB, D, T, and TB. It states that for every non-valid formula F there is a counter- 
interpretation of an instance of F that obeys the atomic -update restriction (au')- Indeed, 
the proof of the theorem consists in an explicit construction of such a substitution instance 
and its corresponding update counter-model. 

We are interested in reasoning about dynamic databases both at the level of 
“schematic” statements and by evaluating statements referring to concrete atoms of 
a database. Theorem [T] tells us that we remain within standard normal modal logics as 
long as only schematic validity is considered. In order to be able to refer to the schematic 
as well as the concrete level simultaneously we define the language over a two-sorted 
propositional signature: 

- An atomic formula of U£ is either an element p G atoms or a schematic variable 
or T or _L. (The set of propositional variables and atoms are disjoint.) 

- Complex formulas of UC are built up as usual from the atomic formulas using the 
connectives -i,A,V,D and the modalities □, O. 

A formula of our extended language is called concrete if it does not contain propositional 
variables. Otherwise, it is called schematic. For concrete formulas F, (F) is defined 
as in Section[21 An arbitrary (possibly schematic) formula F is called valid in A4 if for 
all concrete formulas F' that arise by substituting the propositional variables of F with 
concrete formulas we have {F') = t for all states aof M.. 

Notation. We use lower case letters for atoms. Different letters always denote different 
atoms. Propositional variables are denoted by upper case letters from the end of the 
alphabet. 

Example 2. The concrete formula (a A -F) D □(& D a) is valid in all update models. 
However the schematic formula (X A -•6) D 0(6 D X) is not valid in most update 
models. 

The concrete formula (/) = 0(aA6) A 0(oA-'5) A 0(-iaA 6) AO(-ia A-'b) can never 
evaluate to t, since this would mean that in at least one of the accessible updates both 
atoms, a and b, are evaluated differently than in the current state. In other words -tf is 
valid in all update models. In contrast, it is easy to find counter models for □(A' V y) V 

□(X V -.y) V □(-■y V y) V □(-.x v -^ y ). 



4 Prefixed Tableaux Adapted to Update Models 

We have defined adequate syntax and semantics of a language that allows to express 
various statements with respect to changing databases (of a particularly simple type). 
To substantiate the claim that this formalism provides a basis for reasoning we have 
to define sound and complete calculi, suitable for automated proof search. Fortunately, 
Fitting’s analytic prefixed tableaux JS] for standard normal logics turn out to be adaptable 
to our scenario. (See also ifTSl for an overview and history of related methods.) 

We assume familiarity with tableaux but review the relevant terminology. 



646 



C.G. Fermiiller, G. Moser, and R. Zach 



A prefix is a finite sequence of natural numbers (separated by dots). A prefix r is 
a simple extension of a prefix cr if r = a.n for some n G IN. A prefixed formula is a 
pair consisting of a prefix a and formula F written as a :: F. (Kripke-) interpretations 
are extended to prefixed formulas by referring to an assignment (p of worlds to prefixes. 
More formally, we define {a :: F) = {F, 4>(a ) ). If S' is a set of prefixed formulas, 

then Pre(S) is the set of prefixes in S.. 

Prefixed tableaux are downward rooted trees of prefixed formulas, generated by 
appending new prefixed formula to a branch according to three types of rules. 



Non-modal rules: 

The rules for negation and disjunction are as follows: 



(— ) 



(j :: ~i~^F 

a-.-.F 



(V) 



a-.-.FVG 
a F \ a G 



cr::^(FVG) 
(^V) a-.-.^F 

a-.-.^G 



We refer to ct :: F and <t :: G in (V) as the two sides of the conclusion. The rules for 
conjunction and implication are similar. 

Modal rules: 

The rules for analyzing the modality □ in the basic modal logic K are 



(K) 



a :: OF 
a.n :: F 



(tt) 



a :: -iDF 
a.n -^F 



where for (tt) n is such that the prefix a.n is new to the current branch and for (K) 
a.n has been already used in the current branch. O is treated as -in-i. For serial, 
reflexive, and symmetric models we have to add the following rules, respectively: 



(D) 



a :: OF 
ay. OF 



(T) 



a :: OF 
a-.-.F 



(KB) 



a.n :: OF 
a-.-.F 



Closure rules: 

The closure rules for standard modal logics are 



a-.-.^F 

a-.-.F 

closed 



a-.-.^T 

closed 



To accommodate the difference between atoms and schematic variables in the lan- 
guage UC as well as for the atomic update condition in update models it suffices to 
extend the standard tableau calculi by additional closure rules. 

(Atomic) update closure rules: 



cr : 


: a 


a :: ~^a 


a : 


: a 


a :: 


a.n : 


: “la 


a.n :: a 


a.n : 


: — ia 


a.n :: a 


a : 


:b 


a ::b 


a :: 


-ob 


r 

b 


a.n : 


:^b 


a.n :: ->6 


a.n 


:: b 


a.n :: b 


closed 


closed 


closed 


closed 



where a and b are different atoms. 




Tableaux for Reasoning about Atomic Updates 



647 



If A is one of the logics K, KB, D, T, or TB, then a tableau constructed according to 
the above rules and the corresponding modal rules is called an update A-tableau. 

A branch S of a tableau is closed if one of the above closure rules is applicable; 
otherwise B is called open. Let B be an open branch; the result B' of applying a rule p 
to one of the prefixed formulas in B and adding the prefixed formula(s) of (one side of) 
the conclusion of p to i? is called an extension of B, as usual. 

If all branches in a tableau T are closed, then T is called closed. 

A closed update A-tableau with root 1 :: is a tableau proof of F. We will establish 

soundness and completeness of the presented tableau calculi, following essentially the 
proofs for standard normal logics as presented, e.g., in 1181 141 121 . 

Let 7T be a set of prefixes. Let a \> t, (o-,t G B) denote that r is A-accessible from 
a. The definition of [> is given in the following table. (We call a prefix a a A-deadend if 
A is non-serial and if there is no r accessible from a. In the case of the serial counterpart 
of A we demand that any A-deadend is made reflexive.) 



A 


CT O T iff 


K 


r = a.n for some n>l 


KB 


T = a.n or a = r.m 


D 


K-condition or (cr is a K-deadend and a = t) 


T 


T = a.n or T = a 


TB 


T = a or T = a.n or a = r.m 



This definition implies that (Lf, l>) is a A-frame for A G {K, KB, D,T,TB}. In the 
following, we identify the set of propositional atoms atoms with a subset of PV (this 
subset is again denoted as atoms), thus treating our two-sorted (prefixed) ZT£-formulas 
as a ordinary (prefixed) formula of modal logic. 

A branch B of an update A-tableau is satisfied by a A-interpretation A4 = {W,R,V) 
if there is an assignment (p such that {a :: F) = t for all cr :: F in B. 

Observe that open branches of update tableaux are, by definition, also branches of 
ordinary (modal) tableaux. Hence the following lemma is standard. 

Lemma 1. Let B be an open branch in an update A-tableau. Assume that B is satisfied 
by an A-interpretation AA such that for all w G W, condition (au') is fulfilled. Then 
every extension B' of B is also satisfied by AA. 



Theorem 2 (Soundness). Let A G {K, KB,D,T,TB}. If F has an update A-tableau 
proof then F is valid in all update A-models. 

Proof. (Indirectly.) Suppose that F is not valid in all update A-models. Then some 
instance F' of F has a counter- A-interpretation AA = {W, R, U), which fulfills condition 
(au') for all w GW. 

Now assume that there exists a tableau proof T of F. We can instantiate T to obtain 
a closed tableau T' with root 1 :: -iF'. By the first assumption u^(-iF') = t. Using 
Lemma [T] inductively, if follows that there exists a branch in T’ satisfied by AA. This 
contradicts the assumption that T and hence also T’ is closed. □ 

A set S of prefix W£-formulas is atomically closed if 
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1. There is a formula A such that both a :: A and a :: ~<A occur in S, or 

2. cr : : -iT occurs in S, or 

3. one of the following cases holds, where a, b are different atoms: 



{ cr: 


: a, 


a.n : 


: “la, 


a : 


■ b. 


a.n : 


■■^b}<ZS 


{ cr: 


: ~*a. 


a.n : 


: a, 


a : 


■■b. 


a.n : 


■ ^b}<ZS 


{ 


: a, 


a.n : 


: “la, 


a : 




a.n : 


■ b}CS 


{ ^ '■ 


: ~>a. 


a.n : 


: a, 


a : 




a.n : 


:b}<ZS 



A set S of prefix U /^-formulas is A-downward saturated if it is not atomically closed and 
the usual conditions for downward saturatedness are satisfied by composite formulas F. 
(See, e.g., I12|SI .) We recall only the case where F = a :: UA: Let 77 = Pre(S'), if 
a :: OA occurs in S, then t :: A G S for every t G II such that ct O r. 

We use the following corollary, extracted from the proof of Theorem|TJ 

Corollary 1. Let Ai = {W^R^V) be a tree-like A-interpretation that, for all w gW 
fulfills the atomic update condition ( an! } on some subset P of PV. Then there exists an 
A-interpretation M.' = (VL, 77, V) such that for all w G W: w fulfills the atomic update 
condition (au^ on all PV and v^{A,w) = (A0,w) for all formulas A and some 

substitution 9 with domain PV — P. 



Theorem 3 (Completeness). For A G {K, KB, D, T, TB}, if an liC-formula F is valid 
in all update A-models, then there exists a tableau proof of F. 

Proof. (Indirectly.) Suppose that all tableaux with root 1 :: -iF have an open branch. 
Then a systematic tableau construction, as described in lfT2ll or HI, yields an open 
branch B that is downward saturated. As in the standard completeness proofs, one can 
show that B is satisfied by a tree-like A-interpretation A7 = (VL, 77, V). In particular, 
we have :: F) = f for some assignment f. Moreover, since B is A-downward 

saturated, (an') is fulfilled on (the subset of PV called) atoms (because of clause E 
in the definition of atomical closure, above.) By Corollary E we obtain a counter- A- 
interpretation Ai' = {W,R,V') for F' that fulfills (au') on all variables, where in F' 
only variables that are not in atoms have been instantiated. But this implies that F 
cannot be valid in all A-update models. □ 



Remark on Integrity Constraints 

In reasoning about changing states of a database, integrity constraints are of central 
importance. By an integrity constraint we simply mean a condition, referring to specific 
afoms and/or schematic variables, that has to be fulfilled in all states of a given database. 
Assuming that, in reference to single state, those conditions are expressible in UC, the 
framework of prefixed tableaux allows the inclusion of integrity constraints in reasoning 
about databases by simply treating the corresponding formulas of 77£ as global axioms 
(in the sense of 181141 ). 
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5 Incomplete and Inconsistent Data 



Our model of the dynamic behavior of a database is yet too simple to capture phenomena 
like possibly incomplete and inconsistent data. However, we claim that the basic for- 
malism of atomic update models and corresponding tableaux is easily adapted to such 
scenarios. 

Belnap’s four-valued logic il has been suggested repeatedly as a tool for reasoning 
about (possibly) inconsistent and incomplete information. The main intuition in this 
context is that a database may not only contain information implying that a statement is 
false or true, but such information may also be absent or inconsistent. The four possible 
states of knowledge are represented by the four truth values f (false), u (undetermined), 
J-(inconsistent), and t (true), respectively. This intended interpretation induces the fol- 
lowing truth functions for the connectives A, and V: 







A 


f 


u 


_L 


t 


V 


f 


u 


_L 


t 


f 


t 


f 


f 


f 


f 


f 


f 


f 


u 


_L 


t 


u 


u 


u 


f 


u 


f 


u 


U 


u 


u 


t 


t 


_L 


_L 


_L 


f 


f 


_L 


_L 


_L 


_L 


t 


_L 


t 


t 


f 


t 


f 


u 


_L 


t 


t 


t 


t 


t 


t 



For the definition of other connectives (in particular forms of implication) and the 
choice of designated truth values we refer to the extensive investigations of Avron and 
Arieli (see, e.g., EH). 

The many-valued context allows to extend the classical universal and existential 
modalities to the more general concept of distribution modalities, introduced in 121- 
Let "F be the set of truth values; and, correspondingly, let a state of a database be an 
assignment a : atoms V. Then any function J1 of type 2^ i— 'F induces a truth function 
of a distribution modality n by: 

v^ifiF) = ]l{{v^{F)\(3GS:aUf3}). 



Here E are the states of the update model I) and U is its accessibility relation, {v^ (F) \ 
(3 G E:aU (3} is called the distribution of F in V at a. Again, a (many-valued) update 
model corresponds to a (many-valued) Kripke interpretation. In particular, we call the 
update models in which the states of the database consist in assignments of type atoms 
{t,u,f,_L} Belnap update structures. This context allows us to define modalities like 

- det(F) with the intended meaning: “No update renders information on F incomplete 
or inconsistent”, and 

- unif(F) with the intended meaning: “F is evaluated uniformly in all updates”. 



Since det(F) is intended to express a meta-linguistic (and therefore classical) property 
of F within the object language itself, it always evaluates to t or f. More exactly, its 
semantics is fixed by: 



det(W) = 



t iffU = 0,{f},{t},or{t,f} 
f otherwise 

On the other hand “uniform evaluation” admittedly is an ambiguous concept. Cer- 
tainly, we want unif(F) to be true if either F evaluates to t in all updates, or to f in all 
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updates. Likewise, it is clear that unif{F) is false if the distrihution contains t and f (i.e., 
if there is an update evaluating the formula to t, hut also another update that evaluates it 
to f.) But we want unif{F) to be undetermined if the distribution of F contains u. One 
way to round off and formalize these intuitions is to dehne the truth function for unif as 
follows: 



FFC V 


unifiW) 




t 


{u},{u,f},{u,t} 


u 




f 


{-L},{f,-L},{-L,t},{u,_L},{f,u,_L},{u,_Lt} 


_L 



Of course, det and unif are just two simple examples. Observe that there are 4f 
possible distribution modalities dehnable over Belnap update structures. All of them 
refer to properties of the “truth status” of statements with respect to the class of possible 
stepwise evolutions of the database. We also remind the reader that Belnap update models 
come in different variants according to different constraining properties of the update 
relation. 

To define a particular Belnap update logic with respect to a class of Belnap update 
models we therefore have to fix three independent parameters (in addition to the set of 
atoms and propositional variables): 

(1) a set of designated truth values Vd L V; usually {t} or {t,_L} 

(2) a set of {/ii, . . . ,/r„} of distribution modalities (with associated truth functions 
pf, ...jpfi and four-valued connectives (specihed by their truth tables) 

(3) properties like symmetry or reflexivity, which we want the update relation to observe. 

We call a concrete formula F valid in such a logic if {F) G Vd for all states a of all 
corresponding atomic update models T>. This is extended to schematic formulas in the 
obvious way. (See Sectional) 

6 Prefixed Signed Tableaux for Belnap Update Models 

It is well known that appropriate analytic calculi for all (truth functional) hnite valued 
logics can be defined using signed versions of tableaux (see, e.g., Ill3h . These can be 
extended to finite valued modal logics by combining prehxes (denoting worlds) and 
signs (denoting truth values) as was shown in 0 . We describe a simplihed example of 
the latter calculi, adapted for update structures, for the special case of Belnap update 
models with serial (but otherwise general) update relation and (only) modality det^ 

A prefixed signed formula is a triple consisting of a hnite sequence of natural num- 
bers cr (prehx), a truth value v, and a formula F, written as a: [u]: F. 

Remark 3. In classical logic the prehxed signed formulas cr: [t] : F and cr: [f] : F are just 
notational variants of the prehxed formulas a :: F and cr : : ->F, respectively. For many- 
valued logics truth value signs are not only an elegant way to make semantic information 
explicit but are, in general, needed to obtain complete tableau calculi. 

^ Other properties of the update relation result in simple technical variations of some modal rules. 
The corresponding calculi are omitted here for space reasons. 
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Again, a (prefixed signed) tableau is a downward rooted tree of prefixed signed 
formulas, constructed using the following rules. 

Non-modal rules: can directly be read off from the truth tables of connectives. We 
refer to II13I16II for general methods and results about constructing optimal rules. 
Closure rules: The standard closure rule is 

(j: [u]: C 
a: [w]: C 
closed 

where v and w are different truth values. (F need not be atomic.) 

A modal operator p, induces an additional closure rules if a formula pF never eval- 
uates to a particular truth value. For instance, the modality det triggers the following 
two closure rules: 



a\]u\-.det{F) a det (F) 

closed closed 



Modal rules: 

A general method for constructing modal rules from associated truth functions is 
described in |71|. We present greatly simplifieclj versions for the remaining cases of 
def-modalized formulae: 

o-.\t]-.det(F) a-.]fi\-.det(F) 

<j.n\ [t]:C I (j.n:[f]:F’ a.n-.]u\\F | a.n\\F\-.F 

where a.n already occurs on the branch. 

(Atomic) update closure rule: 

(t: [ui]: a 
(j.n\ [til]: a 
o \ [ u 2]:6 
(T.n: [v2\-b 
closed 

where a and b are different atoms and Vi Ui for i = 1 and i = 2. 

The results of (7|| and Theorems|2]and|3]can be combined straightforwardly to obtain 

Theorem 4. A formula F is valid in a Belnap update logic if and only if for all non- 
designated truth values v there exists a corresponding update tableaux with rootl: [u] : F 
that is closed. 



Remark 4. For all mentioned variants of update logics, systematic and terminating 
tableau construction procedures can be defined as usual. This, in particular, implies 
the decidability of these logics. 

^ The simplification makes essential use of the fact that det is the only modal operator and that 
the update relation is serial, but otherwise unrestricted. 
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7 Open Ends 

Other types of update operations. Obviously atomic updates as defined by condition 
(au) are only a special case0One might, e.g., study multiple update relations that 
are indexed by the “new information” that triggers the update. This information is 
often represented by a boolean combination of atoms and thus naturally induces 
a corresponding algebra of update relations (similar to the algebra of programs in 
dynamic logic). 

Different underlying many-valued logics. Update models can be defined over all 
kinds of truth functional logics as mechanism for “local” evaluation. As an interest- 
ing example we mention the bi-lattice based logics suggested by M.L. Ginsberg fTTIl 
for modeling default reasoning. Also dynamic fuzzy databases can be modeled by 
building on an appropriate fuzzy logic (e.g., some finite-valued Lukasiewicz logic). 

Other useful distribution modalities. As explained above, every function of type 
2^ i-^V induces a distribution modality. A systematic investigation of expressibil- 
ity, complexity of corresponding rules and functional dependency between different 
sets of modalities is still lacking. 

Modeling global update constraints. As a simple example consider the condition — 
for Belnap update models — that updates can only increase knowledge about data. 
Technically this corresponds to requiring a{a) <k f3{a) if all (3, where <k is the 
partial “knowledge order” defined byu<fct<fc_L and u <fc f <fe _L. 

First-order reasoning. Both, update models and corresponding tableau, are readily 
generalized to the first-order level. This move, of course, vastly improves the ex- 
pressibility and complexity of the corresponding logics. Their strength and limits 
should also be explored. 
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1 Introduction 

Numerical computations form an essential part of almost any real-world pro- 
gram. Clearly, in order for a termination analyser to be of practical use it should 
contain a mechanism for inferring termination of such computations. However, 
this topic attracted less attention of the research community. In this work we 
concentrate on automatic termination inference for logic programs depending 
on numerical computations. Dershowitz et al. [5] showed that termination of 
general numerical computations, for instance on floating point numbers, may be 
counter-intuitive, i.e., the observed behaviour does not necessarily coincide with 
the theoretically expected one. Thus, we restrict ourselves to integer computa- 
tions only. 

While discussing termination of integer computations the following question 
should be asked: what conditions on the queries should be assumed, such that 
the queries will terminate. We refer to this question as the termination inference 
problem. 

Example 1. p{X) ^ X < 7, XI is X + l,p(Al). This program terminates for 
queries p{X), for all integer values of X. Thus, the answer for the termination 
inference problem is the condition “true” . □ 

This example also hints at why the traditional approaches to termination 
analysis fail to prove termination of this example. These approaches are mostly 
based on the notion of level mapping, that is, a function from the set of all 
possible atoms to the natural numbers, which should decrease while traversing 
the rules. In our case, such a level mapping should depend on X, but X can be 
negative as well! 

Two approaches for solving this problem are possible. First, one can change 
the definition of the level mapping to map atoms to integers. However, integers 
are, in general, not well-founded. To prove termination one should prove that 
the mapping is to some well-founded subset of integers. In the example above 
(— oo, 7) forms such a subset with an ordering )^, such that x y if x < y, with 
respect to the usual ordering on integers. 

* supported by GOA: “LP'^\ a second generation logic programming language”. 
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The second approach that we present in the paper does not require changing 
the definition of level mapping. Indeed, the level mapping as required exists. It 
maps p{X) iol — X ii X <1 and to 0 otherwise. This level mapping decreases 
while traversing the rule, i.e., the size of p{X), 7 — X, is greater than the size 
of p{Xl), 6 — X, thus, proving termination. We present a transformation that 
allows us to define such a level mappings in an automatic way by incorporating 
techniques of |8], such as level mapping inference, in the well-known framework 
of the acceptability with respect to a set m- This integration provides not only 
a better understanding of termination behaviour of integer computations, but 
also the possibility to perform the analysis automatically as in Decorte et al. [2] . 

The rest of the paper is organised as follows. After making some preliminary 
remarks, we present in Section 3 our transformation — first by means of an ex- 
ample, then more formally. In Section 4 we discuss more practical issues and 
present the algorithm implementing the termination inference. In Section 5 we 
discuss further extensions, such as proving termination of programs depending in 
numerical computations as well as symbolic ones. Then we review related work 
and conclude. 

2 Preliminaries 

We follow the standard notation for terms and atoms. A query is a finite sequence 
of atoms. Given an atom A, rel{A) denotes the predicate occuring in A. Atomp 
denotes a set of all atoms that can be constructed from the language underlying 
P. The extended base Bp is a quotient set of Atomp modulo the variant relation. 
An SLD-tree constructed using the left-to-right selection rule of Prolog is called 
an LD-tree. A goal G LD-terminates for a program P, if the LD-tree for (P, G) 
is finite. 

Definition 1. Let P be a program and p, q be predicates occuring in it. We 
say that p refers to g in P if there is a clause in P that uses p in its head and q 
in its body; that p depends on g in P and write pAq,if (p, q) is in the transitive, 
reflexive closure of the relation refers to; and that p and q are mutually recursive 
and write p — q, if p A q and qAp. 

We recall some basic notions, related to termination analysis. A level mapping 
is a function | • |: Bp — >• TV, where Af is the set of the naturals. 

We study termination of programs with respect to sets of queries. The fol- 
lowing notion is one of the most basic notions in this framework. 

Definition 2. Let P be a definite program and S be a set of atomic queries. 
The call set, Call{P,S), is the set of all atoms A, such that a variant of A is a 
selected atom in some derivation for PU {•<— Q}, for some Q G S and under the 
left-to-right selection rule. 

The following definition m generalises the notion of acceptability with re- 
spect to a set m by extending it to mutual recursion. 
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Definition 3. Let S be a set of atomie queries and P a definite program. P is 
acceptable with respect to S if there exists a level mapping \ ■ \ such that for any 
A S Csl 11{P, S), for any A' ^ Bi, in P, such that mgu(A, A') = 6 exists, 
for any Bi, such that rel(Bi) ~ rel(A) and for any c.a.s. a for ^ (Bi , . . . , Bi-i)9 
holds that | A | > | BiOa |. 

De Schreye et al. [S] characterise LD-termination in terms of acceptability. 

Theorem 1. (cf. JSD Let P be a program. P is acceptable with respect to a set 
S if and only if P is LD -terminating for all queries in S. 

We also need to introduce the notion of interargument relations. 

Definition 4. Let P be a definite program, p/n a predicate in P. An inter- 
argument relation for p/n is Rp C Af". Rp is a valid interargument relation for 
p/n with respect to a norm || • || if and only if for every p(ti, . . . ,tn) € Atomp 
4 P \= ■■■An) then (||ti||, . . . , ||t„||) G Rp. 

To characterise program transformations Bossi and Cocco introduced 
the following notion for a program P and a query Q: A4|P](Q) = 
{a I there is a successful LD-derivation of Q and P with c.a.s. cr} U {_L | 
there is an infinite LD-derivation of Q and P}. 



3 Methodology 

In this section we introduce our methodology using a simple example. In the 
subsequent sections, we formalise it and discuss different extensions. 

The following example generates an oscillating sequence and stops if the 
generated value is greater than 1000 or smaller than —1000. 

Example 2. We are interested in proving termination of the set of queries S = 
{p{z) I z is an integer} with respect to the following program: 
p{X) >1,X < 1000, XI is - X * X,p{Xl). 
p\x) < -1,X > -1000, XI is X + X,p(Xl). 

The direct attempt to define the level mapping of p{X) as X fails, since X can 
be positive as well as negative. Thus, a more complex level mapping should be 
defined. We start with some observations. 

The first clause is applicable if 1 < X < 1000, the second one, if —1000 < 
X < —1. Thus, termination of p(X) for X < —1000, — 1 < X < 1 or X > 1000 is 
trivial. Moreover, if an infinite sequence is obtained by applying the first clause at 
the first step, then for the recursive call p(Xl), it holds that —1000 < XI < — 1 
and if the second clause was applied at the first step of the infinite sequence, 
then for the recursive call p(Xl), it holds that 1 < XI < 1000. We use this 
observation and replace a predicate p with two new predicates 
p-iooo<x<-i^ such that p^<^<woo jg (jelled if p{X) is called and 1 < X < 1000 
holds and p-^ooo<x<-i jg jf p(^X) is called and —1000 < X < — 1 holds. 

The following program is obtained: 
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pKX<iooo(^) ^ X > 1,X < 1000, XI is -X*X,p-i°oo<^<-i(Xl). 
p-iooo<^<-i(X) ^ X < -1, X > -1000, XI is X * X,pi<^<io°0(Xl). 

Now we define two different level mappings, one for atoms of <^ooo 
another one for atoms of p-woo<x<-i ^ | pi<x<iooo^j^^ | _ j^qqq _ ^ jf 

1 < n < 1000 and 0 otherwise and let | \ = 1000 + n if —1000 < 

n < — 1 and 0 otherwise. We verify acceptability of the transformed program 
with respect to | 1 < n < 1000} U | —1000 < 

n < —1}. This implies termination of the transformed program with respect to 
these queries, and thus, termination of the original program with respect to S. 

Due to the lack of space we discuss only queries of the form pK^<iooo^j.j^ 
for 1 < n < 1000. The only clause that its head can be unified with this query is 
the first clause. The only atom of a predicate mutually recursive with p^<^<^ooo 
is Then, | | > | | should holc0, 

i.e., 1000 — n > 1000 + m, that is 1000 — n > 1000 — {n > 1 and m = — n^), 
which is true for n > 1. □ 

The intuitive presentation above hints at the major issues to be discussed in the 
following sections: how the cases such as those above can be extracted from the 
program, and how the program should be transformed. 

3.1 Basic Notions 

In this section we formally introduce some notions that further analysis will be 
based on. Recall that the aim of our analysis is to find, given a predicate and 
a query, a sufficient condition for termination of this query with respect to this 
program. Thus, we need to define a notion of a termination condition. We start 
with a number of auxiliary definitions. 

Definition 5. Let p be a predicate of arity n. Then, $l^,...,$n^’ are called 
argument position denominators. 

If the predicate is clear from the context the superscripts will be omitted. 

Definition 6. Let P be a program, S be a set of queries. An argument position 
i of a predicate p is called integer argument position, if for every p{ti , . . . , t„) G 
Call{P, S) , ti is an integer. 

Argument position denominators corresponding to integer argument positions 
will be called integer argument position denominators. 

An integer inequality is an atom of one of the following forms Expl > Exp2, 
Expl < Exp2,Expl > Exp2 or Expl < Exp2, where Expl and Exp2 are con- 
structed from integers, variables and the four operations of arithmetics. A sym- 
bolic inequality over the arguments of a predicate p is constructed similarly to 
an integer inequality. However, instead of variables, integer argument positions 
denominators are used. 

Example 3. X > 0 and X < X -|- 5 are integer inequalities. Given a predicate p 
of arity 3, having only integer argument positions $1^ > 0 and $2^' < $1^' -|- $3^ 
are symbolic inequalities over the arguments of p. □ 

^ The clause is applicable only if 1 < n < 1000. Thus, | \ = 1000 -I- n. 
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Disjunctions of conjunctions based on integer inequalities are called integer 
conditions. Similarly, propositional calculus formulae based on symbolic inequal- 
ities over the arguments of the same predicate are called symbolic conditions over 
the integer arguments of this predicate. 

Definition 7. Let p(ti, . . . ,tn) be an atom and let Cp be a symbolic condition 
over the arguments of p. An instance of the condition with respect to an atom, 
Cpipfti, . . ■ ,t„)), is obtained by replacing the argument positions denominators 
with the corresponding arguments, i.e., with ti. 

Example 4- Let p{X,Y,b) be an atom and let Cp be ($1^ > 0)A($2^’ < $1P-|-$3 p). 
Then, Cp{p{X, Y, 5)) is (X > 0) A (F < X -b 5). □ 

Now we are ready to define termination condition formally. 

Definition 8. Let P be a program, and Q be an atomic query. A symbolic con- 
dition is a termination condition for Q if given that Cpefg'fiQ) holds, Q 

left-terminates with respect to P. 

A termination condition for Example El is true, i.e., p{X) terminates for every 
integer X. We’ll see further that this is not always the case. 

We discuss now inferring what values integer arguments can take during 
traversal of the rules, i.e., the “case analysis” performed in ExampleE] It provides 
already the underlying intuition — calls of the predicate are identical to the 
calls of the predicate p, where c holds for its arguments. More formally, we define 
a notion of set of adornments. Later we specify when it is guard-tuned and we 
show how such a guard-tuned set of adornments can be constructed. 

Definition 9. Let p be a predicate. The set Ap = {c \, . . . , c„} of symbolic con- 
ditions over the integer arguments of p is called set of adornments for p if for 
all i,j such that l<i<j<n, Ci A Cj= false and V"=i Ci = true. 

Example 5. Example E] continued. The following are examples of sets of adorn- 
ments: {$1 < 100, $1 > 100} and {($1 < -1000) V (-1 < $1 < 1) V ($1 > 
1000), -1000 < $1 < -1,1 < $1< 1000}. □ 

3.2 Program Transformation 

The next question that should be answered is how the program should be trans- 
formed given a set of adornments. After this transformation p‘^(Xi , . . . , A„) will 
behave with respect to the transformed program exactly as p{Xi , . . . , X„) does, 
for all calls that satisfy the condition c. To define a transformation formally we 
introduce the following definition: 

Let H ^ Bi, ... , Bn be a rule. Bi, . . . , B^, is called prefix of the rule, if for 
£^11 j, f ^ j ^ n, Bj is an integer inequality and the only variables in its 
arguments are variables ol El . B\, . . . , Bi'is called the maximal prefix of the rule, 
if it is a prefix and B\, . . . , Bi, is not a prefix. 
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Since a prefix constrains only variables appearing in the head of a clause there 
exists a symbolic condition over the arguments of the predicate of the head, such 
that the prefix is its instance with respect to the head. In general, this symbolic 
condition is not necessarily unique. The following notion guarantees uniqueness 
of such symbolic conditions. In this case we say that the symbolic condition 
corresponds to the prefix. 

Definition 10. A rule iJ •<— Bi, . . . , Bn is called partially normalised if all 
integer argument positions in H are occupied by distinct variable^. 

We will also say that a program P is partially normalised if all the rules 
in P are partially normalised. After integer argument positions are identified a 
program can be easily rewritten to partially normalised form. 

Now we are ready to present the transformation formally. 

Definition 11. Let P be a program and let p be a predicate in it. Let A = 
[Jq^p^q ^6 set of possible adornments for P. Then, the program P“, called 
adorned with respect to p, is obtained in two steps as following: 

1. For every rule r in P, for every subgoal q(ti, . . . ,t„) in the body ofr, s.t. 
p q and for every A G Aq replace q{ti, . . . ,tn) by q^{ti,. . . ,tn). 

2. For every rule r 

Are adornments and inequalities in the body ofr consistent? * 

If not — reject the rule. 

If r defines some q, such that q ~ p 

Get as adornments of the head of r all A G Aq, that are consistent 
with comparisons of the maximal prefix of r and adornments of the 
body ofr. 

Example 6. Example E] continued. The sets of adornments presented in Exam- 
ple 0 are used. With the first set of adornments we obtain P“T 
p$i<ioo(^) ^ A > 1,A < 1000, A1 is - A* 
p$i>ioo(A) ^ A > 1,A < 1000, A1 is - A * A,p*i^^io°(Al). 
p$i^^ioo(A) ^ A < -1,A > -1000, A1 is A* A, p*i^i°0(Al). 
p$i^^ioo(A) ^ A < -1,A > -1000, A1 is A* A,/i>i°°(Al). 

If the second set of adornments is used, the program P“^ is obtained: 



pi<*i<i™°(A) ^ A > 1, A < 1000, A1 is - A * A, (1) 

p-iooo<$K-i(xi). 

pi<$i<i™°(A) ^ A > 1, A < 1000, A1 is - A * A, (2) 

p($l<-1000)V(-l<$l<l)V($l>1000)^j^^^ 

p"i°™<$i<"i(A) ^ A < -1,A > -1000, A1 is A + A, (3) 

pi<*i<i™°(Al). 

p-i°™<$i<-i(A) ^ A < -1, A > -1000, A1 is A + A, (4) 



^($i<-iooo)v(-i<$i<i)v($i>iooo)^j^ 2 ^^ 

^ If such a rule has only integer arguments Apt et al. call it homogeneous. 
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Correctness of the transformation should be proved. Finiteness of the number 
of clauses, the number of subgoals in a clause and the number of elements in an 
adornment ensure that the transformation terminates. Next we need to prove 
that the transformation preserves termination. 

Adorning clauses introduces new predicates. This means that the query Q 
gives rise to a number of different queries. Clearly, termination of all of these 
queries with respect to P“ is equivalent to termination of Q with respect to 
P“ augmented by a set of the clauses, such that for every p ~ rel{Q) and for 
every A G Ap the clause p{Xi, . . . , X„) G- p^{Xi, . . . , A„) is added. We call this 
extended program P“®. 

Lemma 1. Let P be a program, and let Q be a query. Let P“® be a program 
obtained as deseribed above. Then, Ad|P“®](Q) C Ad|P](Q). 

Proof. For all proofs we refer to OSj. ■ 

The second direction of the containment depends on the consistency check 
strategy applied at the point marked by * in the definition of P“. 

Example 7. Let Q be p{X) and let P be the following program: 
p{X) ^ A > 0, q{X),X < 0. q{X) ^X> 0,p(X). 

Predicates p and q are mutually recursive. Thus, both of them should be 
adorned. Let Ap be {$1 > 0,$1 < 0} and Aq be {$1 > 0,$1 < 0}. The 
following program is obtained after the first step of the adorning process. 
p{X) ^X> 0,g*i>O(A), A < 0. q{X) ^ A > 0,p*i>°(A). 

p{X) ^ A > 0,g*i^O(A), A < 0. q{X) ^ A > 0,p*i^^°(A). 

The second step of the adorning process infers adornments for the heads of the 
clauses, possibly rejecting the inconsistent ones. If the inference technique tries 
to use all the information it has in the body constraints and adornments of body 
subgoals, a program ^ A > 0,p*^^°(A)} is obtained. Other clauses 

are rejected because of the inconsistency. The query p{X) terminates with re- 
spect to the extended program while it does not terminate with respect to the 
original one. Thus, such an inference technique can actually improve termination. 

In order for termination to be preserved a weaker inference engine should be 
used, for example, considering inequalities only of the maximal prefix. Then the 
following is obtained: p*i>°(A) ^ A > 0, g*i>°(A), A < 0. 9 *i>°(A) ^ A > 
0 ^pSi>O(A), The query p{X) does not terminate with respect to the extended 
program as expected. The following lemma shows that if this weaker inference 
is used, termination is preserved. □ 

Lemma 2. Let P be a program, and let Q be a query. Let P“® be a program 
obtained as described above. Then, A1|P]((5) C M\P°‘^\{Q). 

For the case of maximal prefixes the following summarises the results. 

Theorem 2. Let P be a program, let Q be a query and let A be a set of adorn- 
ments. Let P“® be a program obtained as deseribed above with respect to A. Then, 
M\P\{Q) = M{P-n{Q). 

This theorem has two important corollaries. 
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Corollary 1. Let P he a program, let Q be a query and let A he a set 
of adornments. Let A = {a \ a G A, for all q such that rel{Q)°' □ q : 
q is not recursive in P“}. Then VogA ® termination eondition for P. 

Example 8. Example E] continued. In p($i<-iooo)v(-i<$i<i)v($i>iooo) 
not depend on recursive predicates. By the corollary, ($1 < — 1000)V( — 1 < $1 < 
1) V ($1 > 1000) is a termination condition for p{X). □ 

Theorem Elimplies that a program P is LD-terminating with respect to all queries 
in a set of atomic queries S if and only if constructed as above, is acceptable 
with respect to S. The latter is equivalent to acceptability of with respect to 
{q^{ti, ...,t„) I q{h, . . . An) G S,A G Aq}. 

Corollary 2. Let P be a program, S be a set of atomic queries and A = 
Uqgs q~rel{Q) '^1 ® adornments. Let he obtained with respect to 

A. P is LD-terminating with respect to all queries in S if and only if is 
acceptable with respect to {q^{ti, . . . ,tn) \ q{ti, . . . ,tn) G S,Ag Aq}. 

This corollary allows us to complete the termination proof for Example |2] 

Example 9. We show that is acceptable with respect to the set S = 

{p(*l<-1000)V(-l<$l<l)V($l>1000)^^^ pKSKlOOO^j^^ p-1000<$K-l^^^| 

Then, S = CaII(P“^5'). Let | • | be defined as: | p-iooo<$i<-i(jj^) | ^ lOQO + X, 
if -1000 < X < -1 and 0 otherwise; | pi<*Kiooo(^) | ^ ^000 - X if 1 < X < 
1000 and 0 otherwise; | p(Si<-iooo)v(-i<$i<i)v($i>iooo)(^) | ^ q. 

We do not prove completely that is acceptable with respect to S 
via I • I, but analyse only one call, There are two clauses, 

(1) and (2), such that their heads can be unified with it. (2) is not recur- 
sive and the condition holds vacuously. (1) is recursive and acceptability re- 
quires I pl<*K1000(^) I > I p-1000<$K-l(_^2) 1^ 1 < X < 1000. If 

— X^ < —1000 then | p-iooo<*K-i(_x^) | = 0 and descent is clear. Otherwise, 

I p-iooo<$K-i(_^ 2 ) I ^ ;|^QQQ _ J^ 2 ^ Q ^ J^QQQ _ ^2 < IQOO - X, smce 

X > 1. As before, there is descent in the level mapping. The other calls are 
proved similarly. □ 



4 Practical Issues 

In the previous section we have shown the transformation that allows reason- 
ing on termination of the numerical computations. In this section we discuss a 
number of practical issues to be considered for automation. 



4.1 Guard- Tuned Sets of Adornments 

In Example E] we have seen two different sets of adornments. Both of them 
are valid according to Definitional However, { — 1000 < $1 < —1,1 < $1 < 



662 A. Serebrenik and D. De Schreye 



1000, ($1 < —1000) V (—1 < $1 < 1) V ($1 > 1000)} is in some sense preferable 
to {$1 < 100, $1 > 100}. First of all, it has a declarative reading: the sets that 
are constructed express conditions that, when satisfied, allow traversing the rule. 
Second, observe that has not only two mutually recursive predicates, as 
does, but also self-loop on one of the predicates. To distinguish between “better” 
and “worse” sets of adornments we define guard-tuned sets of adornments. 

Definition 12. Let P be a partially normalised program, let p be a predicate 
in P. A set of adornments Ap is called guard-tuned if for every A € Ap and 
for every rule r € P with the symbolic condition c corresponding to its maximal 
prefix, either c A A = false or c A A = A holds. 

Example 10. The first set of adornments, presented in Example is not guard- 
tuned while the second one is guard-tuned. □ 

Examples E] and [IHl suggest two ways of constructing a guard-tuned set of 
adornments. Given a program P one might collect the symbolic conditions, corre- 
sponding to the maximal prefixes of the rules defining a predicate p (we denote 
this set Cp) and add the completion of the constructed disjunction. Unfortu- 
nately, this set is not necessarily a set of adornments and if so, it is not necessary 
guard-tuned. 

Example 11. r{X) ^ X > 5. r{X) ^ A1 > 10,r(Al). Two sets of symbolic 
conditions can be constructed: t-*i>io} which is not a set of adorn- 
ments and j'*i>5} which is not guard-tuned. □ 

We use a different approach. First, we find Cp = {ci, . . . , c„}. Then we define 
Ap to be the set of conjunctions of Ci’s and their negations. We claim that the 
constructed set is always a guard-tuned set of adornments. 

Example 12. As above, Cp = {$1 > 5, $1 > 10}. After simplifying and removing 
inconsistencies Ap = {$1 > 10, $1 > 5 A $1 < 10, $1 < 5}. □ 

Lemma 3. Let P be a program, p be a predicate in P and Ap be constructed as 
described. Then Ap is a guard-tuned set of adornments. 

4.2 How to Define a Level Mapping? 

The problem with defining level mappings is that they should reflect changes on 
possibly negative arguments and remain non-negative at the same time. We also 
like to remain in the framework of level mappings on atoms defined as linear 
combinations of sizes of their arguments. 

Definition 13. Let p^^ ^ be an adorned predicate, where Ei and E^ are ex- 
pressions and p G {>,>}. The primitive level mapping is defined as: \ 

pEi ...,tn) \P^ = (El - E2){h, ...,tn) 

if E\{ti, . . . , tn) p E 2 {t \, . . . , tn) and 0 otherwise. 
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If more than one conjunct appears in the adornment, the level mapping is de- 
fined as a linear combination of primitive level mappings corresponding to the 
conjuncts. If a conjunct is a disjunction, it is ignored, since disjunctions are 
introduced only if some rule cannot be applied. 

Definition 14. Let he an adorned predicate, The natural level mapping is: 
I . . . ,t„) I =Y.E^pE 2 (ic^E^pE^ \ p^^ P^^{ti,...,tr,) 1^*^ where the c’s 

are natural number coejficients, Ei,E 2 and p are as above. 



Example 13. The level mappings used in Example n are natural level map- 
pings such that c$i>i = c$i<_i = 0, c$i<iooo = c$i>_iooo = 1- For 
p($i<-iooo)v(-i<$i<i)v($i>iooo) i-jjg definition holds trivially. □ 

The approach of [7] defines symbolic counterparts of the level mappings and 
infers the values of the coefficients by solving a system of constraints. 



4.3 Inferring Termination Constraints 

In this section, we combine the steps studied so far to an algorithm that infers 
termination conditions. The termination condition is constructed as a disjunction 
of two: Cl for non-recursive cases, according to Corollary [T| and C2, for recursive 
cases, incrementally refined by adding to conjunction constraints on the integer 
variables, obtained from the acceptability condition, as in [7pl The algorithm is 
presented in Figure [T]. 

Example 11 q{X, Y) ^ X > Y, Z is X - Y, q{Z, Y). 

We look for values of X and Y such that q{X, Y) terminates. First, the algorithm 
infers adornments. In our case {$! > $2, $I < $2} are inferred. 

The adorned version of this program is 

(7*i>*2(x,y) ^ X > y,zisx 

(7*i>*2(X,y) ^ X > Y,Z is X -Y,q^^^^\Z,Y). 

There is no clause defining gy Corollary [l] $1 < $2 is a termination 

condition. This is the one we denoted ci. The termination condition for 
denoted C 2 is initialised to be $1 > $2. The level mapping is | T) | = 

c$i>$ 2 (-^ — Y) Y X > Y and 0 otherwise. The acceptability decrease implies 
(see 0 ): c$i>$ 2 (^ ~ Y) > c$i>$ 2 ((-’^ ~ Y) ~ Y), that is c$i>$ 2 h" > 0. Since 
c$i >$2 > 0, y >0 and c$i >$2 > 0 should hold. We update C 2 to be ($1 > 
$2) A ($2 > 0). Now we restart the whole process with respect to F >0. The 
following adorned program is obtained: 
g$i>$ 2 ,$ 2 > 0 (^^ Y) ^ X >Y,Z is X -Y, y). 

g*i>* 2 .* 2 < 0 (^^ Y) ^ X >Y,Z is X -Y, q*l>* 2 .$ 2 < 0 ( 2 ’, y). 
q%l>$ 2 ,$ 2<0 f^X^ Y) ^ X > Y,Z is X -Y, g*l<* 2 .$ 2 < 0 (^^ yy 

® Any other technique proving termination and able provide some constraint that, if 
satisfied, implies termination can be used instead of 0. 
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Let P be a partially normalised program, let Q be a query and let q be rel{Q). 

1. For each p ~ q construct Ap. 

2. Adorn P with respect to q and Up~q-^p- 

3. Let A — {a \ a £ Aq,foi all p such that q’^ Ap : p is not recursive in P“}. 
Let Cl = VaeA- Let C 2 = \/aeAq,a^A- 

4. Remove “irrelevant clauses” 

Let Ai, . . . , An £ Aq be the only consistent with C 2 adornments of q. 

For every rule r in P“ 

If for all i, 3 rel(Head{r)) remove r from P“ 

5. Define a symbolic counterparts of norms, 
level mappings and interargument relations. 

6. Construct constraints on the symbolic variables. Obtain S. 

7. Solve S. 

a) Solution of S doesn’t produce extra constraints on variables. 

Report termination for ci V C 2 . 

b) Solution of S produces extra constraints involving new integer variables. 

Conjunct these constraints to termination condition C 2 . 

Go back to step 2. 

c) Otherwise report termination for ci. 



Fig. 1. Termination Inference Algorithm 



The second and the third clauses are removed, since they are “irrelevant” 
with respect to $2 > 0. The level mapping is redefined as 



l<?*l>$2(^,r) |=CS1>$2* 



X - y if X >Y 
0 otherwise * 



y if y > 0 

0 otherwise 



Acceptability decreases imply c$i>$ 2 (A - y) + c$ 2 >oh" > c$i>$ 2 ((A -Y)- 
L^) + c$ 2 >oL", i.e., 0 > -c$i>$ 2 y. The inequality holds, since y > 0 and c$i >$2 > 
0 are assumed to hold. This solution does not impose additional constraints 
on integer variables. Thus, the analysis terminates reporting $1 < $2 V ($1 > 
$2A$2 > 0) as a termination condition. □ 

In order to prove correctness of this algorithm we have to prove its termina- 
tion and partial correctness. Termination follows from termination of its steps 
and from the finiteness of the number of integer variables, restricting a number of 
backwards steps from 7(b) to 2. Partial correctness follows from the correctness 
of transformations and [3. 



5 Further Extensions 

In this section we discuss possible extensions of the algorithm presented above. 
First of all, we re-consider inference of adornments, then we discuss integrating 
termination analysis of numerical and symbolic computations. 
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5.1 Once More about the Inference of Adornments 

The set of adornments Ap, inferred in Subsection KT\ may sometimes be too 
weak for inferring precise termination conditions. 

Example 15. p{X,Y) ^ A < 0,ri is T + 1,A1 is A - l,p(yi,Al). The 
maximal prefix of the rule above is A < 0, thus, Cp = {$1 < 0} and Ap = {$1 < 
0,$1 > 0}. The only termination condition found is $1 > 0, while the precise 
termination condition is $1 > 0 V ($1 < 0 A $2 > —1). □ 

The problem occured due to the fact that Ap restricts only some subset 
of integer argument positions, while for the termination proof information on 
integer arguments outside of this subset may be needed. 

Definition 15. Let P be a program, let p he a predieate in P , let Cq be a set of 
symbolic conditions over the integer argument positions of q, and C = UggpCg. 
A symbolic condition c over the integer argument positions of p is called an 
extension of C if there exists r G P, defining p, such that some integer argument 
position denominator appearing in c does not appear in Cp, and c is implied by 
some Cq S Cq for the recursive subgoals and some interargument relations for 
the non-recursive ones. 

Let C be a set of symbolic conditions over the integer argument positions of p 
and let (p{C) be C U {c | c is an extension of C}. Define the set of adornments 
for p as {c[ A . . . A c'^ \ c^ G ip*{Cp) or -ic' G Lp*{Cp)}, where ip* is a fixpoint of 
powers of p and Cp is defined as in Subsection 14. 1[ 

Example 16. Example [15] continued. The only extension of Cp is $1 < 0 A $2 < 
— 1, i.e., p{Cp) = {$1 < 0,$1 < 0 A $2 < —1}. Thus, ip*{Cp) = p{Cp) and 
Ap = {$1 < 0 A $2 < -1, ($1< 0 A $2 > -1) V $1 > 0}. □ 

An alternative approach to propagating such an information was suggested 
in |8]. It allows one to propagate the existing adornments but not to infer the 
new ones and thus, is less precise than our approach. 

5.2 Integrating Numerical and Symbolic Computation 

In the real-world programs numerical computations are sometimes interleaved 
with symbolic ones, as illustrated by the following example m- 
Example 17. 

collect{X, [X\L],L) g- atomic(X). process(-, A, A, L, L). 
collector, LO, L) G- process{T, I, A, LO, L2) G- 

compound(T),functor(T,_,A), I < A, II is I l,arg{Il,T,Arg), 
process{T, 0, A, LO, L). collect{Arg, LO, LI), 

process{T, II, A, LI, L2). 

To prove termination of {coJJect(tree, variable, [])} three decreases should be 
shown: between a call to collect and a call to process between a call to pro- 
cess and a call to collect and between two calls to process. The first two can be 



666 A. Serebrenik and D. De Schreye 



shown only by a symbolic level mapping, the third one — only by the numerical 
approach. □ 

Thus, our goal is to combine the existing symbolic approaches with the nu- 
merical one presented so far. One of the possible ways to do so is to combine 
two level mappings, | • |i and | • I 2 by mapping each atom A £ Bp to a pair of 
natural numbers (| A |i, \A I 2 ) and prove termination by establishing decreases 
on orderings of such pairs M- 

Example 18. Example [m continued. Define (p : Bp -)> (Af U J\T^) as: 
(p{collect{t, 10, 1)) = ||t||, p{process{t, i, a, 10, 1)) = (||t||, a — f) where || • || is a term- 
size norm. The decreases are satisfied with respect to >, such that Ai > A 2 if 
and only if <p{Ai) >- ip{A 2 ), where is defined as: n>~ m,\in >jp m,n>~ (n, m), 
if true, (n,mi) >- {n,m 2 ), if m\ >jp m 2 and (ni,m) ri 2 , if rii >jp ri 2 and >jp 
is the usual order on the naturals. □ 

This integrated approach allows one to analyse correctly examples such as 
ground, unify, numbervars |15j and Example 6.12 in [8]. 

6 Conclusion 

Termination of numerical computations was studied by a number of authors m 
IH]. Apt et al. [2] provided a declarative semantics, so called 0-semantics, for Pro- 
log programs with first-order built-in predicates, including arithmetic operations. 
In this framework the property of strong termination, i.e., finiteness of all LD- 
trees for all possible goals, was completely characterised based on appropriately 
tuned notion of acceptability. This approach provides important theoretical re- 
sults, but seems to be difficult to integrate in automatic tools. In [T] it is claimed 
that an unchanged acceptability condition can be applied to programs in pure 
Prolog with arithmetic by defining the level mappings on ground atoms with 
the arithmetic relation to be zero. This approach ignores the actual computa- 
tion, and thus, its applicability is restricted to programs using some arithmetic 
but not really relaying on them, such as quicksort. Moreover, as Example [TT] 
illustrates, there are many programs that terminate only for some queries. Al- 
ternatively, Dershowitz et al. [8] extended the query-mapping pairs formalism 
of to deal with numerical computations. However, this approach inherited the 
disadvantages of [9], such as high computational price. 

More research has been done on termination analysis for constraint logic pro- 
grams mm - Since numerical computations in Prolog should be written in a 
way that allows a system to verify their satisfiability we can see numerical com- 
putations of Prolog as an ideal constraint system. Thus, all the results obtained 
for ideal constraints systems can be applied. Unfortunately, the research was ei- 
ther oriented towards theoretical characterisations [12] or restricted to domains 
isomorphic to Af [TO] . 

In a contrast to the approach of [Sj that was restricted to verifying ter- 
mination, we presented a methodology for inferring termination conditions. It 
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is not clear whether and how jS] can be extended to infer such conditions. A 
main contribution of this work to the theoretical understanding of termination 
of numerical computations is in situating them in the well-known framework of 
acceptability and allowing integration with the existing approaches to termina- 
tion of symbolic computations. The methodology presented can be integrated in 
automatic termination analysers, such as [3- 

The kernel technique is powerful enough to analyse correctly examples such 
as gcd and mod jS] and all examples appearing in Chapter 8 of [T^, which is 
dedicated to arithmetic. These examples include the examples appearing in [I]. 
Moreover, our approach gains its power from the underlying framework of 0 and 
thus, allows one to prove termination of some examples that cannot be analysed 
correctly by [8], similar to confused delete 0- The extended technique, presented 
in Section 5, allows one to analyse correctly examples such as Ackermann’s 
function, ground, unify, numbervars |15| and Example 6.12 in [8]. 

As future work we consider a complete implementation of the algorithm. Due 
to the use of the constraint solving techniques we expect it both to be powerful 
and highly efficient. 
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Abstract. We investigate termination of rewriting computations 
guided by strategy annotations. We show that proofs of termination 
can be obtained by proving (innermost) termination of context-sensitive 
rewriting (CSR). Hence, we investigate how to prove innermost ter- 
mination of CSR using existing methods for proving termination of CSR. 

Keywords: Rewriting strategies, termination. 



1 Introduction 

Strategy annotations (e.g., lists of integers that are associated to the symbols of 
the signature) are used in programming languages such as 0BJ2 |FG,TM85| . 0BJ3 
[IGWMF.TOOj . CafeOBJ [FN97| . and Maude [IGELMQ^ to introduce replacement 
restrictions aimed at improving termination ( [GWMF.TOOj . Section 2.4.4). 

Example 1. The following 0BJ3 program (borrowed from [OF97J ): 

obj EXAMPLE is 
sorts Sort . 
op 0 : -> Sort . 

op s : Sort -> Sort . 

op : Sort Sort -> Sort [strut: (1 0)] . 

op inf : Sort -> Sort . 

op nth : Sort Sort -> Sort . 

var X Y L : Sort . 
eq nth(s(X) ,Y: :L) = nth(X,L) . 
eq nth(0,X: :L) = X . 
eq inf (X) = X::inf(s(X)) . 
endo 

specifies an explicit strategy annotation for the list constructor ‘ ’ which dis- 
ables replacements on the second argument. In this way, the evaluation of the 
expression nth ( s ( 0 ) , inf ( 0 ) ) always finishes and produces the term s ( 0 ) , even 
though the ‘infinite list’ inf (0) is a part of the expression. 

* Work partially supported by Accion Integrada Hispano-Italiana HI2000-0161, Spa- 
nish CICYT, and Conselleria de Cultura i Educacio de la Generalitat Valenciana. 
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Unfortunately, there is a lack of formal techniques to analyze how a particular 
choice of strategy annotations modifies the termination of programs. Since term 
rewriting systems (TRSs |BN98IDP01| ) provide a suitable computational model 
for programs written in these programming languages, in this paper, we investi- 
gate termination of rewriting computations controlled by strategy annotations. 
Strategy annotations can be given different shapes and computational interpre- 
tations. Following Visser’s recent classification |Vis01| . we consider the following 
computational strategies which are associated to strategy annotations: 

1. E -strategy |FC.TM85lFke98j . which permits us to completely avoid the eval- 
uation of some arguments of function symbols (in an ordered way) . 

2. Just-in-time (by van de Pol [IPolOlj L which is designed to delay the evaluation 
of arguments as much as possible. 

We show that context-sensitive rewriting {CSR, a simple restriction of rewriting 
that forbids reductions on selected arguments of functions | Luc98| l provides a 
suitable framework for describing and analyzing computations with programs 
using such kind of strategy annotations. We focus on the innermost character 
of these computational models and show that the analysis of innermost termi- 
nation of CSR provides a more accurate (even complete, for the if-strategy) 
characterization of termination of rewriting under strategy annotations. Termi- 
nation of CSR has been studied in [(lM99|Luc96|Zan97j . In these works, ter- 
mination of CSR for a given TRS is demonstrated by proving termination of 
a transformed TRS. In this way, with CSR we can use the standard methods 
for proving termination of rewriting (see |Der87] for a survey). We prove that 
the (two) transformations of |GM99] are correct for proving the innermost ter- 
mination of CSR. The transformation of |Liic96] is correct in the cases that we 
characterize below. Zantema’s transformation [Zan97] does not provide correct 
proofs of innermost termination of CSR. On the other hand, we found that 
transformations of |GM99J (even the second one, which is complete for prov- 
ing termination of CSR) are not complete for proving innermost termination of 
CSR. The transformation of [Luc96IJ is complete under the same assumptions 
that make it sound for proving innermost termination of CSR. 

Section gives some preliminaries. Section [^introduces CSR. Sections |4] and 
|5] connect (innermost) termination of CSR with termination of rewriting under 
E- and van de Pol strategies. Section investigates how to prove innermost 
termination of CSR. Section 0 discusses related work. Section concludes. 

2 Preliminaries 

Given a set A, V{A) denotes the set of all subsets of A. Given a binary relation 
i? on a set A, we denote the reflexive closure of R by i?^, its transitive closure 
by i?’*', and its reflexive and transitive closure by R* . An element a G A is an 
i?-normal form, if there exists no b such that a R b; NF^j is the set of i?-normal 
forms. We say that b is an i?-normal form of a, if b is an i?-normal form and a R*b. 
We say that R is terminating iff there is no infinite sequence ai R Q 2 R a^- ■ 



Termination of Rewriting with Strategy Annotations 671 



Throughout the paper, X denotes a countable set of variables and S denotes 
a signature, i.e., a set of function symbols {f,g, . . .}, each having a fixed arity 
given by a mapping ar : if — >■ N. The set of terms built from E and X is 
T{E,X). A term is said to be linear if it has no multiple occurrences of a single 
variable. Terms are viewed as labelled trees in the usual way. Positions p,q, . . . are 
represented by chains of positive natural numbers used to address subterms of 
t. Given positions p, q, we denote its concatenation by p.q. Positions are ordered 
by the standard prefix ordering <. Given a set of positions P, maximal<{P) is 
the set of maximal positions of P w.r.t. <. If p is a position, and Q is a set of 
positions, p.Q = {p.q \ q £ Q}. We denote the empty chain by A. The set of 
positions of a term t is Vos(t). Positions of non- variable symbols in t are denoted 
as Poss{t), and Vosx(t) are the positions of variables. The subterm at position 
p of t is denoted as t|p, and t[s]p is the term t with the subterm at position p 
replaced by s. The symbol labelling the root of t is denoted as root{t). 

A rewrite rule is an ordered pair (Z,r), written I — >■ r, with l,r £ T{S,X), 
I ^ X and Var(r) C Var{l). The left-hand side {Ihs) of the rule is I and the right- 
hand side (rhs) is r. A TRS is a pair 72. = {E,R) where i? is a set of rewrite 
rules. L{TZ) denotes the set of Ihs’s of 72. An instance a{l) of a Ihs I of a rule is 
a redex. The set of redex positions in t is PosTi{t). A TRS 72 is left-linear if for 
all I £ T(72), I is a linear term. A term t £ T{E,X) rewrites to s (at position 
p), written t A-jz s (or just t — >■ s), if t\p = a{l) and s = t[a{r)]p, for some rule 
p : I ^ r £ R, p £ Vos(t) and substitution cr. A TRS is terminating if — >• is 
terminating. We say that t innermost rewrites to s, written t — s, if t A s and 
p £ maximal < {P os-jiit)) . A TRS is innermost terminating if is terminating. 

3 Rewriting with Syntactic Replacement Restrictions 

A mapping p : H — >■ 7^(N) is a replacement map (or A-map) if V/ £ S, p(/) C 
{!,..., ar(/)} [Liic98J . The ordering C on Ms, the set of all A-maps, is: p E p' 
if for all / S A, p{f) C p'{f). Thus, p ^ p' means that p considers less positions 
than p' (for reduction), i.e., p is more restrictive than p' . 

A replacement map p specifies the argument positions which can be re- 
duced for each symbol in A. Accordingly, the set of p-replacing positions 
Vos^{t) of t £ T(A,A) is: Vos^{t) = {A}, if t £ X and Pos^{t) = {A} U 
Uiep.{root{t)) i-Pos^{t\i), ift^X. The set of positions of replacing redexes in t is 
7’os)^(t) = VosTi{t) n7^os^(7). In context-sensitive rewriting {CSR ILncQSI l. we 
(only) contract replacing redexes: t p-rewrites to s, written t s, if t An s 
and p S Vos^{t). 

Example 2. Gonsider the TRS 

nth(0,x:y) — ^ x inf (x) — >■ x:inf(s(x)) 

nth(s(x) ,y :z) — ^ nth(x,z) 

with p(:) = p(inf) = p(s) = {1} and p(nth) = {1,2}. Then, we have: 
nthC inf (0) ) nth(0 : inf (s (0) ) ) 
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Since 1.2 ^ 7^os^(nth(0 : inf (s (0) ) )), redex inf (s(0)) cannot be /^.-rewritten. 

The ^^-normal forms are called /x-normal forms. A TRS TZ is /r-terminating 
if is terminating. With innermost CSR, we only contract maximal 
positions of replacing redexes: t s if t Atj s and p G maximal<{Vosl^{t)). 
We say that TZ is innermost /r-terminating if is terminating. 

Strategy annotations are simple mechanisms for specifying rewriting strate- 
gies. They are associated to symbols f of the signature S and mainly concern: 
(1) the possibility of reducing the arguments of / (indexed by 1, . . . , /c, if / is a 
fc-ary symbol), and (2) the possibility of applying the (different) rules defining 
/ (i.e., rules I ^ r G R such that root{l) = /) to redexes rooted by symbol /. 
We investigate two kinds of strategy annotations. 



4 Termination of Rewriting under the ^^-Strategy 

A positive local strategy (or A-strategy |FGJM85lEke98|Nag99INOOT] l for a k- 
ary symbol / G A is a sequence of integers taken from {0, 1, . . . , fc} which 
are given in parenthese^ (see Example [T|) . A mapping p that associates a local 
strategy (p{f) to every / G A is called a E-strategy map |NO01| . Roughly speak- 
ing, when considering a function call /(ti, . . . , tfc), only the arguments whose 
indices are present as positive integers in the local strategy for / are evaluated 
(following the specified ordering). If 0 is found, then the evaluation of / is at- 
tempted. Nagaya describes the operational semantics of term rewriting under 
E-strategy maps as follows |Nag99| : Let C be the set of all lists consisting of 
natural numbers. By Cn we denote the set of all lists of natural numbers not 
exceding n G N. We use the signature Sc = {/l | / G A A L G £ar{f)} and 
labelled variables Xc = {xnii \ x G X}. An E-strategy map ip for A is extended 
to a mapping from T(A, X) to T{Sc, Xc) as follows: 

/ i\ / ^nil if t — X G X 

~ \ ■ ■ ■ , p{tk)) a t = . . . ,tk) 

The mapping erase : T{Sc,Xc) — t T{S,X) removes labellings from symbols. 
The relation on T{Sc,Xc) x (i.e., pairs {t,p) of labelled terms t and 
positions p) is |NOOHNag99| : (t,p) — (s, q) if and only if p G Vos{t) and either 

1. root{t\p) = fnii, s = t and p = q.i for some *; or 

2. t\p = with i > 0, s = tifcih, . . .,tk)]p and q = p.i; or 

3- t\p = fo-.Liti, ■ ■ -,tk), erase{t\p) is not a redex, s = t[fc{ti , . . . ,tfc)]p, q = P] 
or 

4. t\p = fo:L{ti, ■■■,tk) = cr(Z'), erase(l') = I, s = t[a{(p{r))]p for some I ^ r G 
R and substitution a, q = p. 



^ Apart from this, we use the standard notation of lists which is also used in INnoTI : 
nil is the empty list and i ; L is the list whose first element is i and whose tail is L. 
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We write e G L to denote that item e appears somewhere within the list L. 
Algebraic languages 0BJ2, 0BJ3, CafeOBJ, and Maude admit the specification 
of £’-strategies. Symbols without an explicit local strategy are given a default 
one whose concrete shape depends on the considered languago Given an ill- 
strategy map (f for E, we let G Ms be ^"^ (/) = {*> 0 | * € 7 ’(/)} for each 
f G E. We drop superscript (p if no confusion arises. We have the following. 

Theorem 1. |Ijiic()1| Let TZ he a TRS and ip he a positive E-strategy map. Let 
t G T{Ec,Xc), o,nd p G Pos^(erase(t)) he s.t. root{t\p) = fr for some suffix L 
of ip{f). If (t,p) — i-y, {s,q), then q G Vos^{erase{s)) and erase(t) erase{s). 

Semantics of OBJ program^ under a given if-evaluation map ip is usually given 
by means of an evaluation function eval^ : E{E, X) — >■ V{1~{E, X)) (from terms 
to their sets of ‘computed values’) rather than specifying the concrete rewrite 
steps leading to computed values [EkefiSJ . Nakamura and Ogata define |JN()01j : 
eval^{f) = {erase{s) G T{E,X) \ {ip{t),A) -;>* (s,A) A {s,A) G NF_>^}. 

Example 3. Consider the following TRS TZ | Eke98| : 
f(b) — ^ c h(c) — ^ g(f(a)) 

g(x) — h(x) a — > b 

and ip given by ip{i) = (0 1 ) , </?(g) = ipih) = (1 0 ) , (^(a) = ( 0 ) , and </ 3 (b) = nil. 
Term t = g(f (a)) is evaluated using — on ip{t) = gQ g) ^^^(0 1 ) (a(o)))(we 
underline contracted redexes in the ‘term’ component of pairs): 

(S(o) ( 1 ) ^a(o) ) ), 1) (S( 0 ) (a(Q) )) , 1.1) 

(g( 0 ) nil ) ) ) 1 . 1 ) ^ ip Cfnii ^^nil ) ) 5 1 ) 

(g( 0 ) nil ^^nil ) ) ) ^ <p (ll- ^ ni/ ^^nil ) ) 5 

(h( 0 ) (f nil ) ) 7 f ) ^ r ( 0 ) Gni/ ) ) 7 A) 

^ ip {t^nil fiil (.tirin') L A'^ 

where {hnu(f niiihnu)) , A) is a — >-,^-normal form. Then, h(f (b)) G evalcpft). 

According to the previous definition of eval,p, we can say that 

A TRS TZ is ip -terminating if, for all t G E{E,X), there is no infinite 
— ^-^-rewrite sequence starting from (ip(t),A). 

Since local strategies are finite lists, the number of — ^,^-reduction steps that 
corresponds to items (1) to (3) of the definition of — >-<p (and that keep unchanged 
the erased terms) is finite. Thus, according to Theorem [T] we have the following. 

Theorem 2. |Luc01| Let TZ he a TRS and ip he a positive E -strategy map. IfTZ 
is pL-terminating , then TZ is ip -terminating. 

^ For instance, in Maude, the default local strategy associated to a fc-ary symbol /, is 
(1 2 • • • k 0 ) , see |Eke98| . 

^ As in |GWMFJ00| . by OBJ we mean OBJ2, OBJ3, CafeOBJ, or Maude. 
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Theorem |2] connects termination of CSR and (^-termination for positive E- 
strategy maps ip. Termination of CSR has been studied in |GM99ILuc96IZan^ . 
For instance, the (TRS which represents the) OBJ program of Example [T| can 
be proved (/r-) terminating by using Zantema’s techniques (see Examples 2 and 
3 of | Zan97p . However, termination of CSR only approximates (/^-termination. 

Example 4- Consider the TRS [Cra96] : 
f (a) — ^ f (a) a — ^ b 

and let (/;(f) = (1 0) and (/)(a) = (0). This TRS is (/)-terminating, but it is not 
/i-terminating, since we have: f (a) f (a) • • •. 

The point here is that computations under the E-strategy are ‘basically’ inner- 
most. Innermost rewriting computations can be terminating even for nontermi- 
nating TRSs. This gives rise to the topic of innermost termination of rewriting 
which has been studied in e.g., [AG97IGra96j . For instance, the TRS of Example 
U]is nonterminating, but innermost terminating |Gra96j . 

Given a TRS TZ = (E,R), we consider E as the disjoint union A = C W 2? of 
symbols c € C, called constructors and symbols f €T>, called defined functions, 
where V = {root{l) | Z — >■ r G i?} and C = S — V. We say that an E-strategy map 
ip is elementary if for all f G T>, ip{f) = {i\ - ■ ■ in 0) and ij > 0 for \ < j <n. 

Remark 1. Consecutive occurrences of zero can be simplified into a single one 
(Corollary 3.3 in | Eke98 |l. Since |Eke98|Nag99| discuss why in interesting cases 0 
is the last index of local strategies associated to defined symbols, the only critical 
requirement which is introduced with elementary strategies is that 0 occurs only 
at the end of the local strategy. 



Theorem 3. Let 72. = (C l±l 2?, i?) he a TRS and ip he a positive elementary E- 
strategy map. Let t G T{E,X). Lf {(p{t),A) — >■* (s,p), then p G 'Pos'^{erase{s)) 
and t S-»* erase{s). 

Theorem 12 does not hold without requiring elementarity of ip. 

Example 5. Consider 72, ip, and t as in Example El According to Theorem[Tl the 
/r-rewriting steps associated to the evaluation of t are: 

g(f(a)) g(f(b)) h(f(b)) 

Due to redex f (b), the second /r-rewriting step is not innermost. 

Reasoning in a way similar to Theorem [T] and Theorem |2] Theorem El entails the 
following. 

Theorem 4. Let 72 = (C l±l 27, 7?) he a TRS and ip he a positive elementary 
E-strategy map. 2/72 is innermost p-terminating, then 72 is ip -terminating. 

For nonelementary if-strategies. Theorem E] can fail to hold. 
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Example 6. Consider the TRS TZ of Example |4] and ip given by = (0 1 0), 

(/?(a) = (0), and <^(b) = nil. Note that TZ is innermost /i-terminating. However, 
TZ is not (/j-terminating, since we have: 

(^(0 1 0) ^^(0) (^(0 1 0) ' ' ■ 



Since /i-termination implies innermost /r-termination (but not vice versa), an- 
alyzing innermost termination of CSR provides a more accurate framework for 
proving termination of TRSs under positive, elementary E-strategies. In fact, 
we obtain a complete proof method. 

Theorem 5. Let TZ = (C l±l 2?, i?) be a TRS and ip be a positive elementary 
E-strategy map. If TZ is ip -terminating, then TZ is innermost p-terminating. 

Without elementarity, (^-termination may not imply innermost /x-termination. 

Example 7. Consider TZ and ip as in Example |2] Note that TZ is not innermost 
/i-terminating: 

h(c) g(f (a) ) g( f (b) ) g(c) h(c) • • • 

However, TZ is (/^-terminating, since whenever (the labelled version of) the term 
g(f(a)) is reached the derivation stops in h(f(b)) without producing h(c) 
which is needed to generate the cycle (see Example |3j . 

5 Termination of Rewriting under van de Pol’s Strategy 
Annotations 

Let TZ= (if, i?) be a TRS. According to van de Pol [PolOlJ . a strategy annotation 
associated to a given symbol / G A is a list c(/) whose elements can be either 
a number i G {1, . . . , ar(/)} or a rule I ^ r G R such that root(t) = f. In 
principle, strategy annotations contain no duplicated items |Pol01| . 

Example 8. Consider the TRS [PolOlj : 

a: if(true,x,y) — x 7 : if(x,y,y) y 

13: if (false, x,y) — >■ y 

Then, a possible strategy annotation for if is ^(if) = [1 ,a,/3,2,3,7l . 

We say that is full regarding rules (or just r-fult) if for alH — >■ r G i?, Z t 
r G g{root{l)). Given a strategy annotation, van de Pol describes the rewriting 
strategy that it specifies. A rewriting strategy is seen as a function that given a 
term t yields either some rewrite of t, i.e., a pair (p, s) such that t A s, or _L if 
no rewrite step has been selected. Given a term t and a strategy annotation </, 
rewr^ indicates the (unique, if any) rewrite step that can be performed on t. 
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Definition 1. |Pol01| Let TZ = {E, R) be a TRS, <; be a strategy annotation, 
and t € T{E,X). Then, rewr,^(t) = rewr^{t,g{root{t))) , where 



rewr,;{t, nil) = _L 



rewr^{t, {I ^ r : L)) 
rewr,^(t, (i : L)) 



{A,a{r)) if t = a{l) for some a 
rewr^{t,L) otherwise 

{i.p, <[s]i) if rewr,;(t\i) = {p, s) for some p, s 
rewr^{t,L) otherwise 



We write t s (or just t — s) if (p, s) = rewr,^(t) _L. Thus, t is a — >-,;-normal 
form (or just a ^-normal form) if and only if rewr,;(t) = _L. 

Remark 2. Van de Pol’s strategy annotations include not only indices of argu- 
ments of function symbols but also rules defining function symbols. Occurrences 
of 0 in if-strategies can be thought of as abstractions of these items. Given a 
strategy annotation it is immediate to obtain a ‘corresponding’ if-strategy 
map ip by replacing rule items 1 > r in c(/) by 0, for each f € E (and removing 

consecutive occurrences of 0, see Remark [T] above). 

Given a strategy annotation c for E, we let p'' £ Ms he {f) = {i £ N \ i £ 
c(/)} for each f £ E. We drop superscript c if no confusion arises. The following 
theorem establishes a very close connection between — and 

Theorem 6. Let TZ be a TRS, be a strategy annotation, and t,s £ T{E,X). 
If t s, then t s. 

We say that a TRS is ^-terminating if — is terminating. According to Theorem 
El we have the following immediate consequence. 



Theorem 7. Let TZ be a TRS and be a strategy annotation. If TZ is p- 
terminating, then TZ is c; -terminating. 

Termination of — can also be characterized as innermost /i-termination: A 
strategy annotation g is elementary for a TRS TZ = (C ttl P, i?) if there are no 
f £ T>,a £ R, and * S N such that a : i : L is a. suffix of c(/). 

Theorem 8. Let TZ be a TRS, c be an r-full, elementary strategy annotation, 
and t,s £ T{E,X). If t — s, then t s. 

Note that r-fullness is necessary in Theorem [S] to ensure that the step t — s 
does not forget any inner redex due to the lack of the corresponding rule in the 
strategy annotations. Hence, we have the following. 



Theorem 9. Let TZ be a TRS and c be an r-full, elementary strategy annotation. 
If TZ is innermost p-terminating, then TZ is -terminating. 

In general, ^-termination does not imply (innermost) /r-termination. 
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Example 9. Consider the TRS TZ: 

a : b — a /? : b — c(b) 

and <r given by ^(b) = [a,/3] and <r(c) = [ 1 ]. Then, TZ is clearly ^-terminating, 
but it is not (innermost) /i-terminating. 

Example |0I also shows that ^-termination of a TRS does not imply (^-termination 
for the corresponding E-strategy map (see Remark ED, since a local strategy ( 0 ) 
for b and ( 1 ) for c in ExampleElwould lead to nonterminating computations with 
the E-strategy. Moreover, (/^-termination does not imply ^-termination either. 

Example 1 0. Consider the following TRS (based on that of Example ED 
a: if(true,x,y) — x 7 : if(x,y,y) a 

( 3 if (false, x,y) — >■ y i5 : b — >■ if(a,b,b) 

and c(if) = [l,a,/ 3 , 2 , 3 , 7 ] , (j(b) = [5]. The corresponding E-strategy map 
is (/ 3 (f) =(1 0 2 3 0 ), (/ 9 (b) = (0). Note that TZ is not (^-terminating: 

b if(a,b,b) — if (a, if (a,b,b) ,b) — • • • 

However, TZ is (/ 9 -terminating, since we have: 

( b( 0 ) ; d) — (ifQ 0 2 3 0 ) >^( 0 ) >'^( 0 ) 

( f^(0 2 3 0) » 1^(0) >1^(0) 

6 Proving Innermost Termination of CSR 

Innermost termination of CSR has been related to termination of elementary 
local and van de Pol’s strategies. How can innermost termination of CSR be 
proven? Since proving ^-termination of a TRS TZ is usually achieved by prov- 
ing termination of a transformed TRS (e.g., |GM99ILuc96IZan^ l. the question 
naturally arises of whether innermost /r-termination is detected by these trans- 
formations. In this section, we investigate this problem. 

The first correct transformation for proving termination of CSR was de- 
scribed in [I jiic9fij . The basic idea is very simple: since non-/r-replacing arguments 
cannot be rewritten with CSR, it makes sense to remove them (by appropriately 
reducing the arity of symbols): Given a signature E, the pi-eontracted signa- 
ture is obtained by renaming each / G E as G E^ and giving it the 
arity ar{f^) = |^(/)|. Terms from the signatures E and E^ are related by a 
fi- contracting function : 'T{E,X) — >■ T(E^,T). This function drops the non- 

replacing immediate subterms of a term t and constructs a ‘/r-contracted’ term 
by joining the (also transformed) replacing arguments below the corresponding 
operator of the ^-contracted signature. Transformation can be used to trans- 
form TRSs. Let TZ = {E,R) be a TRS and p. G M^. The set of rules of 
the /Lt-contraction TZ^ = {E^^,R^) of TZ is R^ = {r^(0 \ I ^ r € R}. 

The following example illustrates /r-contraction and shows that, in general, the 
transformation is not correct for proving innermost /r-termination. 
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Example 11. Consider the TRS 

f(a(b)) — >■ f(a(b)) a(c) — >■ b 

and ^(a) = 0, /r(f) = {!}. Then, is (we use the same symbols; the arities 
may decrease due to removing non-/r-replacing arguments) 

f (a) — f (a) a — b 

which is innermost terminating. However, TZ is not innermost /r-terminating, 
since we have: f(a(b)) f(a(b)) 

However, when considering the canonical replacement map which is the 

most restrictive replacement map (in M^) ensuring that the non- variable sub- 
terms of the left-hand sides of the rules of TZ are replacing, i.e., the minimum 
E-map p such that V/ S LiTZ),T’oss{l) C T’os^{l) [Luc98j . we have the following. 

Theorem 10. Let TZ = {S, R) be a left-linear TRS and p G Ms be such that 
E IfTZ^ is innermost terminating, then TZ is innermost p,-terminating. 

The main problem with the contractive transformation is that it is only useful to 
prove /^-termination of p,- conservative TRSs. A TRS TZ is /^-conservative if TZ^ 
has no rule with extra variables in the right-hand side [Luc96| . An extra variable 
X can appear in a rule of TZ^ if all occurrences of x are non-/i-replacing in the 
left-hand side I of the corresponding rule / — >■ r of 72., but x is /r-replacing in r. 

In order to overcome this problem, given TZ and /r, Zantema [Zan97j defines a 
new transformed TRS 72^ which is obtained by marking the non-replacing argu- 
ments of function symbols (disregarding their positions, see |Zan97| for a detailed 
description of the transformation). Unfortunately, Zantema’s transformation is 
not correct for proving innermost /i-termination. 

Example 12. Consider the TRS 72: 
f(b,a(x)) f(b,a(b)) 

and /r(a) = 0, /r(f) = {1, 2} (note that /r^" C p). Then, 72^ is: 
f(b,a(x)) — >■ f(b,a(b’)) activate(b’) -P b 

b — >■ b’ activate (x) — ^ x 

where b’ and activate are new symbols. It is not difficult to see that 72^ is 
innermost terminating. However, 72 is not innermost /x-terminating. 

Recently, Giesl and Middeldorp have introduced a transformation which can be 
used to prove termination of GSR |GM99| and that (at least from the theoretical 
point of view) is strictly more powerful than the contractive transformation 
and Zantema’s transformatioij^. They mark the replacing positions of a term 
(by using a new symbol active), since these positions are the only ones where 



The first statement is proved in |GM99| : the second one has been demonstrated 
recently |GM01 |. 



Termination of Rewriting with Strategy Annotations 679 



CSR may take place. Given a TRS TZ = (if, i?) and ^ G M^, the TRS = 
{S U {active, mark}, i?^) consists of the rules (for all I ^ r G R and / G if): 

active(/) — > mark(r) 

mark(/(xi, . . .,Xk)) ^ active(/([a:i]/, . . . , [xk]f)) 
active (a;) — ^ x 

where [xi]f = markCxi) if i G p.(/), otherwise [xi]f = Xi. Concerning this trans- 
formation, we have the following result. 



Theorem 11. Let TZ = (E,R) be a TRS and /i G M^. If TZj^ is innermost 
terminating, then TZ is innermost ^-terminating. 

Giesl and Middeldorp noticed that this transformation is incomplete for prov- 
ing termination of CSR, i.e., there exist TRSs TZ and replacement maps /i such 
that TZ is /i-terminating but TZj^ is not terminating (see Example 1 in [GMH])- 
The transformation remains incomplete for proving innermost /i-termination. 



Example 13. Consider the TRS TZ of Example jd] If ^ = /iy, then 7?.^ is: 

active(f(a)) — mark(f(a)) mark(f(x)) — ^ activeCf (mark(x) ) ) 

active (a) — > mark(b) mark(a) — ^ active (a) 

active (x) — ^ x mark(b) — ^ active (b) 

TZ is innermost /x-terminating, but with TZ^^ we have the following infinite inner- 

most derivation: 

activeCf (Q-) ) mark C f C u) ) — active (f Cmark C u) ) ) 

active (f ( active (a) ) ) — activeCf (a)) — • • • 

Giesl and Middeldorp also provided a correct and complete transformation to 
deal with termination of CSR. Basically their idea is to permit a single (context- 
sensitive) reduction step each time. They achieve this by using new symbols f' 
for each (non-constant) symbol f G S and shifting a single symbol active to 
(non-deterministically) reach the replacing position where the redex is placed. 
The application of a rewrite rule changes active into mark which is propa- 
gated upwards through the term, in order to be replaced by a new symbol 
active that enables new reduction steps. After checking that no ‘strange’ sym- 
bols remain uncontrolled (using a symbol proper such that proper (t) reduces 
to ok(t) if and only if t is a ground term of the original signature), a rule 
topCokCa:)) — top (active (a;)) enables a new reduction step (see |GM99] for 
a more detailed explanation). Given a TRS TZ = (if, FT) and /i G M^, the TRS 
7?.^ = (if U {/' I / G E A ar{f) > 0} U (active, mark, ok, proper, top}, 7?^) 
consists of the following rules: for alH — r G 7?, / G if such that k = ar{f) > 0, 
i G /x(/), and constants c G if. 
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active(/) — S> mark(r) 

active(/(xi, . . . ,xt,. . .,Xk)) . . , active(xi) , . .. ,Xk) 

f'{xi, . . . ,mark(xi), . ,.,Xk)^ mark(/(xi , . .. ,Xi,. . . ,Xk)) 
proper (c) -> ok(c) 

proper (/(a:i, . . . ,Xk)) /(proper (xi), . . . , proper (ajfc)) 
/(okCxi), . . . ,ok(a;fc)) ok(/(a;i, . . . , a:^)) 
top (mark (a:)) top (proper (a;) ) 

top(ok(x)) top (active (x) ) 



The transformation is also correct for proving innermost termination of CSR. 

Theorem 12. Let TZ = {S,R) be a TRS and fi S Ms- If IZ^ is innermost 
terminating, then TZ is innermost ^-terminating. 



But now the transformation is not complete for proving innermost /a-termination. 



Example 14- Consider again the TRS TZ in Example [Hand fa = fix- We obtain 
the following TZ^ system: 



active (f (a)) — >■ mark(f(a)) 
active (a) — ^ mark(b) 

active(f(x)) — ^ f ’ (active(x) ) 
f’(mark(x)) — > mark(f(x)) 
proper(a) — ^ ok(a) 



proper(b) — ^ ok(b) 
proper (f(x)) — ^ f (proper (x)) 
f(ok(x)) ok(f(x)) 

top(mark(x)) — ^ top(proper(x) ) 
top(ok(x)) top (active (x) ) 



In this case, we have the following infinite innermost derivation: 

top( active(f (a) ) ) — top (mark (f (a) ) top(proper(f (a))) 

— >■* top(ok(f (a))) top( active(f (a) ) ) — 



Surprisingly, for the /a-contractive transformation, we have a completeness result. 

Theorem 13. Let TZ = {E, R) be a left-linear TRS and fi G Ms be such that 
fi^^ E T and TZ is fi-conservative. If TZ is innermost fi-terminating , then TZ^ is 
innermost terminating. 

Note that /a-conservativeness is necessary to ensure that TZ^ is a TRS. Since TRSs 
with extra variables cannot be innermost terminating, without this requirement, 
the theorem would be incorrect. 



7 Related Work 

Syntactic annotations have been used in the OBJ family of languages for many 
years (as local strategies). However, only recently (but quite intensively) has the 
formal analysis of computations with OBJ’s local strategies been addressed (e.g., 
[IEke98IFGK01ILuc0HNag99INO01IOF97IPol0ip . As far as the author knows, 
only [IFGKOllLucOlj have investigated the problem of proving termination of 
rewriting under positive local strategies. Termination of van de Pol’s strategy 
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annotations has not been studied before. In jFGKOlj . an inductive method is 
proposed to directly prove (ground) termination of rewriting with positive local 
strategies without applying any transformation. We have checked that the two 
examples used in | FGK01| to illustrate their technique can easily be proved 
terminating by using Zantema’s transformation |Zan97| and an automatic tool 
such as Gontejean and Marche’s GzME 2.0 system (see http ; //cime . Iri . f r). 
Moreover, we note that only proofs of termination of CSR (and Theorem [2|) are 
necessary to deal with these examples. On the other hand, in order to be able to 
use their methods, it is necessary to use a different technique to ensure that the 
constant symbols are terminating (w.r.t. computations guided by the strategies). 
This is easy if there is no rewrite rule c — > r asociated to any constant symbol 
c. Note that (^-termination of (a TRS containing) the TRS TZ: 

a — >■ f(a) 

with (^(f) = nil, could not be proven in this way. However, (/^-termination of TZ 
is easily proved by using the /(-contractive transformation of [T;iic96| . since TZ^: 
a — >■ f 

is clearly terminating. Nevertheless, Fissore et al.’s technique can work when our 
techniques do not. For instance, the TRS [IGFOlj 

f(a,g(x)) — >• f(a,h(x)) h(x) — >■ g(x) 

terminates with the strategy ipi such that (/>i(f) =(0 12) but it does not 
terminate with (/ 32 (f) = (12 0) (let (/3i(h) = (/ 92 (h) = (0)). In both cases 
fi{f) = {1,2}. Thus, we are not able to distinguish them (note that ipi is not 
elementary), whereas their technique seems to work [GFOIJ . 

8 Conclusions and Future Work 

We have investigated how to prove termination of rewriting under local and 
van de Pol’s strategy annotations. We have also shown that, in general, these 
problems are not comparable (see Examples E] and rm . We have shown that the 
analysis of (innermost) termination of CSR provides a suitable characterization 
of termination of rewriting under positive local and van de Pol’s strategy anno- 
tations (it is even complete for local strategies, see Theorems 0] and O . We have 
investigated the use of transformations that are correct to prove termination of 
CSR [GM99ILiic96IZan97j as formal tools for proving innermost termination of 
CSR. Transformations of [IGM99J are correct for proving innermost termination 
of CSR. The transformation of |Luc M] is correct for left-linear TRSs and re- 
placement maps that are less restrictive than the canonical replacement map. 
Zantema’s transformation is not correct in the general case. 

Goncerning future work, we note that framework aimed at modelling com- 
putations under strategy annotations mucst take into account: 

1. The presence of replacement restrictions on the arguments of symbols (i.e., 
the absence of some indices, as in Example [T]). 

2. The (possible) mnermost character of computations (as in OBJ programs). 
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3. The position of the occurrences of 0 in strategy annotations (as exemplified 
by Gnaedig et al.’s previous example). 

4. The priority of applying some rules according to (some) strategy annotations 
(as in van de Pol’s approach, see Example |9|. 

5. The presence of special classes of symbols (e.g., AC operators). 

6. The presence of sorts and modules as done in OBJ. 

In this paper, we have (partially) covered the first two characteristics. This has 
proven to be sufficient for completely characterizing termination of rewriting 
under elementary E-strategies. By also considering other subfields of rewriting 
such as priority rewriting |Pol98l . AG-rewriting IDPOll . etc., we would obtain a 
more accurate characterization of the problem in more general case^ Strategy 
annotations can also be simulated in programming languages that provide for 
more powerful mechanisms for defining strategies such as ELAN [BKKMP.98] . 
Our results also apply to ensure termination of programs written in such lan- 
guages when such kinds of strategies are used. The analysis of termination of 
ELAN programs controlled by arbitrary strategies is also a subject for future 
work. 

Innermost termination of CSR should also be further investigated. It can be 
very different from termination of CSR. For instance, terminating TRSs are, of 
course, ^-terminating. However, the innermost terminating TRS of Example 2] 
is not innermost /i-terminating, if /r = pn_. Thus, in contrast to /r-termination, 
in general, it is not possible to prove innermost /i-termination using proofs of 
innermost termination. On the other hand, it is well-known that innermost termi- 
nation implies termination for, e.g., nonoverlapping TRSs (see [Gra96| l. Since in- 
nermost termination can be easier to prove than termination (see |AG97IGra96j , 
this is used for obtaining indirect proofs of termination. If this remains true for 
CSR, then we could obtain new methods for proving termination of CSR. 



Acknowledgements. I thank Jurgen Giesl, Isabelle Gnaedig, Olivier Fissore, 
Aart Middeldorp, and the anonymous referees for their helpful remarks. I also 
thank O. Fissore for sending me a copy of |FGK01| . 

References 

[AG97] T. Arts and J. Giesl. Proving Innermost Normalisation Automatically. 

In H. Comon, editor, Proc. of 8th International Conference on Rewrit- 
ing Techniques and Applications, RTA’97, LNCS 1232:157-171, Springer- 
Verlag, Berlin, 1997. 

[BKKMR98] P. Borovansky, C. Kirchner, H. Kirchner, P.-E. Moreau, and C. Ringeis- 
sen. An Overview of ELAN. In G. Kirchner and H. Kirchner, editors, 
Proc. of 2nd International Workshop on Rewriting Logic and its Applica- 
tions, WRLA’98, Electronic Notes in Computer Science, 15(1998):1-16, 
1998. 



® Termination of AC- CSR has already been studied in |FR99| . 



[BN98] 

[CELM96] 

[Der87] 

[DPOl] 

[Eke98] 

[FGJM85] 

[FGKOl] 

[FN97] 

[FR99] 

[GFOl] 

[GLOl] 

[GM99] 

[GMOl] 

[Gra96] 

[GWMFJOO] 



Termination of Rewriting with Strategy Annotations 683 

F. Baader and T. Nipkow. Term Rewriting and All That. Cambridge 
University Press, 1998. 

M. Clavel, S. Eker, P. Lincoln, and J. Meseguer. Principles of Maude. In 

J. Meseguer, editor, Proc. 1st International Workshop on Rewriting Logic 
and its Applications, Electronic Notes in Theoretical Computer Science, 
volume 4, 25 pages, Elsevier Sciences, 1996. 

N. Dershowitz. Termination of rewriting. Journal of Symbolic Computa- 
tion, 3:69-115, 1987. 

N. Dershowitz and D.A. Plaisted. Rewriting. In A. Robinson and A. 
Voronkov, editors. Handbook of Automated Reasoning, volume 1, chapter 
9, Elsevier, 2001. 

S. Eker. Term Rewriting with Operator Evaluation Strategies. In C. 
Kirchner and H. Kirchner, editors, Proc. of 2nd International Workshop 
on Rewriting Logic and its Applications, WRLA ’98, Electronic Notes in 
Computer Science, 15(1998):l-20, 1998. 

K. Futatsugi, J. Goguen, J.-P. Jouannaud, and J. Meseguer. Principles 
of OBJ2. In Conference Record of the 12th Annual ACM Symposium 
on Principles of Programming Languages, POPL’85, pages 52-66, ACM 
Press, 1985. 

O. Fissore, I. Gnaedig, and H. Kirchner. Termination of rewriting with lo- 
cal strategies. In M.P. Bonacina and B. Gramlich, editors, Proc. of fth In- 
ternational Workshop on Strategies in Automated Deduction, STRATE- 
GIES’Ol, pages 35-54, 2001. 

K. Futatsugi and A. Nakagawa. An Overview of CAFE Specification 
Environment - An algebraic approach for creating, verifying, and main- 
taining formal specihcation over networks -. In Proc. of 1st International 
Conference on Eormal Engineering Methods, 1997. 

M.C.F. Ferreira and A.L. Ribeiro. Context-Sensitive AC-Rewriting. In 

P. Narendran and M. Rusinowitch, editors, Proc. of 10th International 
Conference on Rewriting Techniques and Applications, RTA’99, LNCS 
1631:286-300, Springer- Verlag, Berlin, 1999. 

I. Gnaedig and O. Fissore. Personal communication. July 2001. 

B. Gramlich and S. Lucas (editors). 1st International Workshop on Re- 
duction Strategies in Rewriting and Programming, WRS’Ol. Proceedings, 
volume 2359, Servicio de Publicaciones de la Universidad Politecnica de 
Valencia, 2001. See also: volume 57 of ENTCS, Elsevier, to appear. 

J. Giesl and A. Middeldorp. Transforming Context-Sensitive Rewrite Sys- 
tems. In P. Narendran and M. Rusinowitch, editors, Proc. of 10th Inter- 
national Conference on Rewriting Techniques and Applications, RTA ’99, 
LNCS 1631:271-285, Springer- Verlag, Berlin, 1999. 

J. Giesl and A. Middeldorp. Personal communication. May 2001. 

B. Gramlich. On Proving Termination by Innermost Termination. In 
H. Ganzinger, editor, Proc. of 7th International Conference on Rewrit- 
ing Techniques and Applications, RTA’96, LNCS 1103:97-107, Springer- 
Verlag, Berlin, 1996. 

J.A. Goguen, T. Winkler, J. Meseguer, K. Futatsugi, and J.-P. Jouan- 
naud. Introducing OBJ. In J. Goguen and G. Malcolm, editors. Software 
Engineering with OBJ: algebraic specification in action, Kluwer, 2000. 




684 



S. Lucas 



[Luc96] 

[Luc98] 

[LucOl] 

[Nag99] 

[NOOl] 

[OF97] 

[Pol98] 

[PolOl] 

[VisOl] 

[Zan97] 



S. Lucas. Termination of context-sensitive rewriting by rewriting. 
In F. Meyer auf der Heide and B. Monien, editors, Proc. of 23rd. 
International Colloquium on Automata, Languages and Programming, 
ICALP’96, LNCS 1099:122-133, Springer- Verlag, Berlin, 1996. 

S. Lucas. Context-sensitive computations in functional and functional 
logic programs. Journal of Functional and Logic Programming, 1998(1):1- 
61, January 1998. 

S. Lucas. Termination of on-demand rewriting and termination of OBJ 
programs. In Proc. of 3rd International Conference on Principles and 
Practice of Declarative Programming, PPDP’Ol, pages 82-93, ACM Press, 
2001 . 

T. Nagaya. Reduction Strategies for Term Rewriting Systems. PhD The- 
sis, School of Information Science, Japan Advanced Institute of Science 
and Technology, March 1999. 

M. Nakamura and K. Ogata. The evaluation strategy for head normal 
form with and without on-demand flags. In K. Futatsugi, editor, Proc. 
of 3rd International Workshop on Rewriting Logic and its Applications, 
WRLA ’00, Electronic Notes in Theoretical Computer Science, volume 36, 
17 pages, 2001. 

K. Ogata and K. Futatsugi. Implementation of Term Rewritings with 
the Evaluation Strategy. In H. Glaser and P. Hartel, editors, Proc of 9th 
International Symposium on Programming Languages, Implementations, 
Logics and Programs, PLILP’97, LNCS 1292:225-239, Springer- Verlag, 
Berlin, 1997. 

J. van de Pol. Operational semantics of rewriting with priorities. Theo- 
retical Computer Science, 200:289-312, 1998. 

J. van de Pol. Just-in-time: on Strategy Annotations. In ICLOll . pages 
39-58. 

E. Visser. A Survey of Strategies in Program Transformation Systems. 
In [GLOll . pages 97-128. 

H. Zantema. Termination of Context-Sensitive Rewriting. In H. Comon, 
editor, Proc. of 8th International Conference on Rewriting Techniques 
and Applications, RTA’97, LNCS 1232:172-186, Springer- Verlag, Berlin, 
1997. 



Inferring Termination Conditions for Logic 
Programs Using Backwards Analysis 



Samir Genaim and Michael Codish 



The Department of Computer Science 
Ben-Gurion University of the Negev 
Beer-Sheva, Israel 
{genaim, mcodish}@cs .bgu. ac . il 



Abstract. This paper focuses on the inference of modes for which a 
logic program is guaranteed to terminate. This generalizes traditional 
termination analysis where an analyzer tries to verify termination for 
a specified mode. The contribution is a methodology which combines 
traditional termination analysis and backwards analysis to obtain ter- 
mination inference. This leads to a better understanding of termination 
inference, simplifies its formal justihcation, and facilitates implementa- 
tion. We evaluate the application of this approach to enhance an existing 
termination analyzer to perform also termination inference. 



1 Introduction 

This paper focuses on the inference of modes for which a logic program is guar- 
anteed to terminate. This generalizes traditional termination analysis where an 
analyzer tries to verify termination for a specified mode. For example, for the 
classic append/3 relation, a standard analyzer will determine that a query of the 
form append{x, y, z) with x bound to a closed list terminates and likewise for 
the query in which 2 is bound to a closed list. In contrast, termination infer- 
ence provides the result append{x, y, z) <— xV z with the interpretation that the 
query append(x, y, z) terminates if a: or 2 are bound to closed lists. We refer to 
the first type of analysis as performing termination checking and to the second 
as termination inference and we make the observation that the (missing) link 
between the two is a technique called backwards analysis. 

Backwards analysis addresses the following type of question: Given a program 
and an assertion at a given program point, what are the weakest requirements 
on the inputs to the program which guarantee that the assertion will hold when- 
ever execution reaches that point. In a recent paper, King and Lu [12] describe 
a framework for backwards analysis for logic programs set in the context of 
abstract interpretation. In their approach, the underlying abstract domain is re- 
quired to be condensing or equivalently, a complete Heyting algebra. This ensures 
that when working backwards from an assertion in the program, at each step 
we can find a best approximation (weakest requirement) to eventually provide a 
condition on the inputs which guarantees that the assertion will hold. 
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To demonstrate this link between termination checking and termination in- 
ference, we apply backwards analysis as described by King and Lu [12] to enhance 
the termination (checking) analyzer described in [4] so that it will perform also 
termination inference. Our focus is on universal termination using Prolog’s left- 
most selection rule and we assume that unifications do not violate the occurs 
check. 

Termination inference is considered previously by Mesnard and coauthors in 
[15,16,17] (with a tool accessible at http://www.complang.tuwien.ac.at/cti). 
Our observation is that the link with backwards analysis provides a straightfor- 
ward justification and also leads to a better implementation design. 



2 Preliminaries and Motivating Example 

We assume a familiarity with the standard logic program terminology [13,1] as 
with the basics of abstract interpretation [5,6]. This section reviews the program 
analyses upon which we build in the rest of the paper. For notation, in brief: 
Variables in logic programs are denoted using the upper case as in Prolog; while 
in relations. Boolean formula, and other mathematical context we use the lower 
case. We let x denote a tuple of distinct variables xi,...,Xn- To highlight a 
specific point in a program we use labels of the form @. 

Size relations and instantiation dependencies rest at the heart of termination 
analysis: size information to infer that some measure on program states decreases 
as computation progresses; and instantiation information, to infer that the un- 
derlying domain is well founded. Consider the recursive clause of the append/ 3 
relation: append{[X\Xs],Ys, [V|Zs]) ^ append{Xs,Ys, Zs). It does not suffice 
to observe that the size of the first and third arguments decrease in the recursive 
call. To guarantee termination one must also ensure that one of these arguments 
is sufficiently instantiated in order to argue that this recursion can be activated 
only a finite number of times. 

Instantiation information is obtained through abstract interpretation over the 
domain Pos which consists of the positive Boolean functions augmented with a 
bottom element (representing the formula false). The elements of the domain 
are ordered by implication and represent equivalence classes of propositional 
formula. This domain is usually associated with its use to infer groundness de- 
pendencies where a formula of the form x A (y — >■ z) is interpreted to describe a 
program state in which x is definitely bound to a ground term and there exists 
an instantiation dependency such that whenever y becomes bound to a ground 
term then so does z. Similar analyses can be applied to infer dependencies with 
respect to other notions of instantiation. For details on Pos see [14]. 

Size relations express linear information about the sizes of terms (with respect 
to a given norm function) [2,3,7,11]. For example, the relation x < z A y < z 
describes a program state in which the sizes of the terms associated with x and 
y are less or equal to the size of the term associated with z. Similarly, z = x + y 
describes a state in which the sum of the sizes of the terms associated with 
X and y is equal to the size of the term associated with z. Several methods 
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for inferring size relations are described in the literature [2, 3, 7, 8]. They differ 
primarily in their approach to obtaining a finite analysis as the abstract domain 
of size relations contains infinite chains. 

Throughout this paper we will use the so-called term-size norm for size re- 
lations for which the corresponding notion of instantiation is groundness. We 
base our presentation on the termination analyzer described in [4] although we 
could use as well almost any of the alternatives described in the literature. This 
analyzer is based on a bottom-up semantics which makes loops observable in the 
form of binary clauses. This provides a convenient starting point for termination 
inference as derived in this paper. Each element in the abstraction of this seman- 
tics represents a loop and is of the form p{x) •<— TT,p{y) where tt is a conjunction 
of linear constraints. 

For the full picture, we note that the analyzer of [4] involves two phases: First, 
the user provides a program and the analyzer approximates its loops over two 
domains: size relations and instantiation dependencies. Then, the user specifies 
the input modes of an initial goal and the analyzer performs a termination check. 
For termination inference, it is the first part of the first phase of the termination 
analysis which is useful. From the descriptions of the loops with size information 
we extract the intitial Boolean assertions from which backwards analysis then 
proceeds. We demonstrate our approach by example in four steps: 

The first step: Consider the append/3 relation. 

appendC [X I Xs] , Ys , [X I Zs] ) :- append(Xs , Ys , Zs) . 
append ( [] , Ys , Ys ) . 

The termination checker [4] reports a single loop (abstract binary clause): 
append(A,B,C) :- [D<A, F<C, B=E] , append(D,E,F) . 

indicating that subsequent calls to append in a computation, involve a decrease in 
size for the first and third arguments {D < A and F < C) and maintain the size 
of the second argument {B = E). To guarantee that this loop may be traversed 
only a finite number of times, it is sufficient to require that ^ or C be sufficiently 
instantiated. This is expressed as a Boolean condition: append{x, y, z) <— (xV z). 

Backwards analysis is now applied to infer the weakest conditions on the pro- 
gram’s predicates which guarantee this condition. For this example the inference 
is complete and we have derived the result: terminates{append{x , y, z)) xV z. 

The second step: Consider the use of append/3 to define list membership. Adding 
the clause: 

member (X,Xs) :- append(A, [X|B] ,Xs) . 

to the program introduces no additional loops. Backwards analysis should spec- 
ify the weakest condition on member{X, Xs) which guarantees the termina- 
tion condition A V Xs for append{A, [A|B], As). This is obtained through pro- 
jection which for backwards analysis is defined in terms of universal quantifi- 
cation as 'i A -{A V As). The resulting Boolean precondition for member /2 is: 
terminates{member{x,y)) ^ y. 
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The third step: We now add to the program a definition for the subset/2 relation: 

subset ( [X I Xs] ,Ys) member (X,Ys) , subset (Xs ,Ys) . 
subset ( [] , Ys) . 

Termination checking reports an additional loop: 

subset(A,B) :- [B=D,C<A] , subset(C,D). 

which will be traversed a finite number of times if the first argument (A) is 
sufficiently instantiated. However, for the program to terminate both of its loops 
must terminate — also the one for append/i in the call to member{X, Fs). So, 
drawing on the result of the previous step, also the second argument for subset /2 
must be instantiated. To sum up, we have terminates{subset{x,y)) ^ x Ay. 

The fourth step: This step demonstrates that the precondition on a call in a 
clause body may be (partially) satisfied by answers to calls which precede it. 
Consider adding to the program a clause: 

s(X,Y,Z) :- (a) append (X, Y, T) , (B) subset(T,Z). 

which defines a relation s{x,y,z) such that the set z contains the union of sets 
X and y. The preconditions for termination derived in the previous steps specify 
the conditions x\/ t and t A z at points @ and (B) respectively. In addition, from 
a standard groundness analysis we know that on success append{x, y, t) satisfies 
{x A y) ^ t (intuitively: indicating the flow of data either from x and y to t 
or vice versa). So, instead of imposing on the clause head the conditions from 
both calls in its body, as we did in the previous step, we may weaken the second 
condition in view of the results from the first call. Namely, the termination 
condition inferred for s{x, y,z) is Vt.((a;Vf) A (((a; Ay) Of) -A t A z)) = x Ay A z. 

In general, the steps illustrated above need to be applied in iteration. Though 
what we have shown works correctly for our example. In the next section we 
describe more formally the steps required for backwards analysis. 



3 Backward Analysis 

This section presents an abstract interpretation for backwards analysis using 
the domain Pos distilled from the general presentation given in [12]. Clauses are 
assumed to be normalized and contain assertions so that they are of the form 
h{x) A- yobi, . . . ,bn where /r is a Pos formula, interpreted as an instantiation 
condition which must be satisfied when the clause is called, and bi is either an 
atom, or a unification operation. 

The analysis associates pre- and post- instantiation conditions, specified in 
Pos, with the predicates of the program. The postcondition tpp for predicate p 
is the result of the standard instantiation dependency analysis. It reflects the 
instantiations generated by p. The precondition (pp for p is a condition which 
guarantees the termination of calls to p. Preconditions are initialized to true (the 
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top element in Pos) and become more restrictive (move down in Pos) through 
iteration until they stabilize. At each iteration, clauses are processed from right 
to left using the current aproximations for preconditions on the calls together 
with the postconditions to infer new approximations for the preconditions. 

For the basic step, consider a clause of the form: p ^ g, (§) ... Denote 

the current approximation of the precondition for q by ipq and its postcondition 
by ipq. Assume that processing the clause from right to left has already propa- 
gated a condition et, at the point (B). Then, to insure that et, will hold after the 
success of q, it suffices to require at (a) the conjunction of <pq with the weakest 
condition cr such that {a A ipq) -A Cb- This a is precisely the pseudo-complement 
[10] of Ipq with respect to et which for Pos is obtained as ipq -A et- So propagating 
one step to the left gives the condition Ca = Pq A {ipq -A (ft)- 

Now consider a clause h{x) ^ p obi,..., bn with an assertion p G Pos. 
Denote the current approximation of the precondition for bi by ipi and its post- 
condition by (1 < i < n). Assume that the current approximation of the 
precondition for h{x) is (p. Backwards analysis infers a new approximation tp' 
on h{x) by consecutive application of the basic step described above. We start 
with Cn+i = tTue and through n steps (with i going from n to 1) compute a 
condition = pn A {ipi -A e^+i) which should hold just before the call to bi. 
After computing ei we take Cq = p A ei and project Cq on the variables x of the 
head by means of universal quantification. The new condition is finally obtained 
through conjunction with the previous condition p. 

To be precise, as Pos is not closed under universal quantification, projection 
of x from p is defined as the largest element in Pos which implies 'ix-P- This is 
well-defined as the bottom element in Pos (false) is always a candidate. 

Example 1 . Consider the clause 

subset (A, B) @ A o 0 A=[X|Xs], 0 B=Ys, 

0 member (X,Ys) , 0 subset (Xs ,Ys) 0. 

(the assertion A states that the first argument must be ground) and assume 
that the postconditions and current approximation of the preconditions are 
(respectively): 

J member(x, y) ^ (y — >■ a;) 1 _ J member{x, y) ^ y 

( subset{x, y) ^ (y ^ x) j ( subset{x, y) ^ x 

The conditions 65, . . . , cq are obtained as follows: 

65 = true 62 = true A {{B gg Y s) ^ e^) 

64 = As A ((A s — )■ JCs) — )■ 65) Cl = true A {{A -o- (A A As) — )■ 62) 

63 = Ys A ((As — y A) — )■ €4) eg = A A e\ 

Projecting eg to the variables in the head gives -(eg) = A A B. Which 

leads to the new precondition subset{x, y) ^ x Ay. Note that the preconditions 
for unifications in the clause body are true and their postconditions, the usual 
groundness dependences. 

Backwards analysis is formalized in [12] as the greatest fixed point of an 
operator over Pos. Our implementation is described in [9]. 
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4 Termination Inference 



Termination inference proceeds as follows: (a) apply the initial phase of the 
termination analysis described in [4] to obtain a set of abstract binary clauses 
which approximate the loops in the program (with size relations); (b) extract 
Boolean conditions on the instantiation of variables to guarantee that each of 
the identified loops can be executed only a finite number of times; and (c) 
apply backwards analysis as defined in [12] to infer modes for initial goals which 
guarantee that these Boolean conditions will hold. 

The following definition specifies how to extract from the results of the initial 
phase of the termination analysis those assertions from which backwards analysis 
starts. The idea is that: (1) in each loop, at least one set of arguments I, the 
sum of the sizes of which decreases, should all be instantiated enough (so that is 
a disjunction); and (2) all of the loops must satisfy the previous point (so that 
is a conjunction). 

Definition 1. The termination assertion fj,{p{x)) for the predicate p/n in the 
program P is determined as follows: 



1 . 

2 . 



The condition for a single binary clause is 
fj,{p{x) TT,p{y)) = \J ^ f\i^jXi ^C{l,...,n}, 
and the assertion for p{x) is: 

Kp(x)) = A { mW I ^ = P(x) ^ TT,p{y) G {Pfsi 



bin 

size 



Tr\={SXi>Sy 
iei iei 




} 



In theory we could obtain a stronger assertion by considering arbitrary linear 
combinations of the arguments of p{x) instead of restricting coefficients to 0 and 
1 as we do in the definition by taking subsets I of the argument positions. In 
practice, in the implementation, we impose a weaker assertion which does not 
consider all subsets / C n}, but rather only the singletons (to detect 

argument positions which decrease in size) and the set of arguments which do 
not decrease in size (in case their sum does). This simplistic approach works well 
in practice. A more elaborate approach is described in [18]. 

Example 2. Consider as P the split/ 3 relation (from merge sort): 

split! [],[],[]). 

split! [XiXs] , [XlYs] ,Zs) :- split !Xs , Zs ,Ys) . 

The binary clauses obtained by the analyzer of [4] are: 

ii = split{xi,X2,X3) [yi < Xi,ys < X2,xs = j/2], 2 / 2 , J/a)- 

£2 = split{xi,X 2 ,X 3 ) [2/1 < xi,2/2 < X 2 ,y 3 < X 3 ],split{yi,y 2 ,y 3 )- 
£3 = split{xi, X2,X3) ^ [2/1 < Xi, 2/3 < X2,V2 < X3], spHt{yi, y2, V3) ■ 

We have p{£i) = ix{£ 3 ) = xiV {x 2 A X 3 ), because 2/1 < x\ and 2/2 + 2/3 < X 2 + X 3 ; 
and ^{£ 2 ) = xi M X 2 V X 3 because yi < X\,y 2 < X 2 ,y 3 < X 3 . The assertion for 
split/3 is p{split{xi, X 2 , X 3 )) = {xi V {x 2 A X 3 )) A (xi V 3:2 V X 3 ) = V {x 2 A X 3 ). 




Inferring Termination Conditions for Logic Programs 691 



Definition 2. A mode is a tuple of the form p{mi, . . . ,m„) where mi (1 < 
i < n) is either b (‘bound’) or f (‘free’). We say that p{m \, . . . , m„) is safe for 
p{xi, . . . , Xn) if the conjunction A{xj | = 5} implies the termination condition 

inferred by backwards analysis for p{x) . 

Example 3 . In the previous example we inferred p,{split{xi,X2,x^)) = {p with 
(/? = V {x2 A X3). Hence p{b,f,f) and p{f,b,b) are safe modes for split /3 
because x\ ^ (p and {x 2 A X 3 ) ^ ip. 

The correctness of the method follows from the results of [4] and [12]. 

Theorem 1. Let P be a logic program and p{m) a safe mode for p{x). Then P 
terminates for p{m) . 

Proof (sketch). Let p{fh) be a safe mode for p/n, let G be an initial query of 
this mode and let Q be a call to a predicate q/k which loops in an SLD derivation 
for G. Let p, be the Boolean assertion imposed on q/k by termination inference 
and (p be the termination condition for p/n. From the correctness of backwards 
analysis [12] it follows that p must hold for Q because A{xi\mi = b} ^ ip and (p 
guarantee p. From the construction of p which considers the binary clauses for 
q and the correctness of the termination analysis [4] it follows that the loop on 
q/k must terminate. 

5 Experimental Results 

We have implemented an analyzer for termination inference and it is accessible 
at http://www.cs.bgu.ac.il/~mcodish/TerminWeb. Basically, we combine the 
first phase of the termination analysis described in [4] (which describes the pro- 
grams loops using size information) with an implementation of the backwards 
analysis algorithm described in [12] (for the Pos domain). 

To evaluate our analyzer, we use the same benchmarks as used in [16]. The 
experimentation is set up to use the same parameters (choice of norm and widen- 
ning steps) as reported in [16]. Our analyzer runs SICStus 3.7.1 on a Pentium III 
500MHZ machine with 128MB RAM under Linux RedHat 7.1 (kernel 2. 4. 2-2). 
Timings for cTI are reported for a faster machine (Athlon 750MHz, 256Mb, SIC- 
Stus 3.8.4). Table 1 indicates analysis times (in seconds). The columns indicate 
the costs for: Size: approximating loops with size information; Pos: approxi- 
mating answers with instantiation dependencies; Ass: computing initial instan- 
tiation assertions (from the size information); BA: backwards analysis; Total: 
total analysis time (including preprocessing - not itemized on its own). cTI: 
total analysis time using cTI (as reported in [16]). 

The two blocks of programs in Table 1 correspond respectively to those from 
Tables 2 and 5 in [16]. For the first block we infer exactly the same termina- 
tion conditions as cTI. For the second block (of larger programs), Mesnard and 
Neumerkel report precision in terms of the percentage of the programs predi- 
cates for which some (non false) termination condition is inferred. We obtain 
the same percentages, except for the last three programs where a “©” indicates 
that we infer more terminating predicates than does cTI and a “0” vice-versa. 
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The results indicate that the pre- Table 1. Experimental Results 

cision of the two analyzers is quite 
similar and that (given that cTI is 
running on a faster machine) ours is 
in most cases more efficient. The in- 
teresting aspects of the experimen- 
tal results come from a closer com- 
parison with previous work: First, in 
comparison with termination check- 
ing as reported in [4] , we observe that 
in most cases termination inference is 
not only more general but also faster 
than termination checking. Note that 
the two columns labelled by Size, 
and Pos correspond to tasks which 
are performed anyway during (the 
first phase of) termination checking. 

The next two columns (labelled Ass 
and BA) concern tasks specific to 
termination inference which are very 
fast and in general less expensive 
than the cost of the second phase 
(checking a given mode) of the anal- 
ysis described in [4]. 

Second, in comparison with the 
termination inference described in 
[16], note that while the total anal- 
ysis times are similar, our backwards 
analysis phase is 5-6 times faster (on 
a slower machine) than the corre- 
sponding phase in cTI (based on the 
comparison of our Table 1 with Ta- 
ble 5 from [16]). This is due to the 
application of a carefully designed 
backwards analysis algorithm which 
propagates information (backwards) 
through the clause bodies. In contrast, the corresponding phase in cTI sets up 
the entire collection of recursive equations specifying the constraints that hold 
at each program point and then solves these simultaneously. 

6 Related Work 

Backwards reasoning for imperative programs dates back to the early days of 
static analysis and has been applied extensively in functional programming. Ap- 
plications of backwards analysis in the context of logic programming are few. For 



program 


Size Pos Ass BA 


Total 


cTI 


permute 


0.12 .00 .01 .00 


0.14 


0.15 


duplicate 


0.03 .00 .00 .00 


0.03 


0.05 


suml 


0.05 .00 .01 .00 


0.06 


0.18 


merge 


0.19 .00 .02 .00 


0.21 


0.26 


dis-con 


0.09 .00 .00 .01 


0.10 


0.24 


reverse 


0.05 .00 .01 .00 


0.08 


0.08 


append 


0.05 .01 .00 .00 


0.06 


0.09 


list 


0.01 .01 .00 .00 


0.03 


0.01 


fold 


0.05 .00 .01 .00 


0.06 


0.10 


Ite 


0.06 .01 .00 .00 


0.07 


0.13 


map 


0.05 .00 .00 .00 


0.05 


0.09 


member 


0.04 .01 .00 .00 


0.05 


0.03 


msort 


0.44 .00 .02 .00 


0.46 


0.43 


msort* 


0.98 .01 .01 .01 


1.02 


0.57 


msort _ap 


0.63 .00 .04 .00 


0.67 


0.79 


msort _ap* 


1.29 .03 .03 .00 


1.35 


0.92 


naive_rev 


0.08 .01 .00 .00 


0.10 


0.12 


ordered 


0.03 .00 .00 .00 


0.03 


0.04 


overlap 


0.05 .01 .00 .00 


0.06 


0.05 


permute 


0.10 .00 .01 .00 


0.13 


0.15 


quicksort 


0.38 .01 .04 .00 


0.43 


0.39 


sum2 


0.08 .00 .01 .00 


0.09 


0.08 


select 


0.09 .01 .00 .00 


0.10 


0.09 


subset 


0.09 .01 .00 .00 


0.11 


0.12 


arm 


4.46 .07 .30 .03 


5.02 


5.01 


bid 


0.62 .02 .05 .01 


0.74 


0.79 


boyer 


2.55 .05 .04 .01 


2.75 


3.53 


browse 


0.96 .01 .15 .00 


1.16 


1.81 


credit 


0.43 .02 .04 .01 


0.54 


0.61 


peep 


4.46 .04 .07 .02 


4.68 


12.08 


plan 


1.03 .02 .03 .01 


1.12 


0.71 


qplan 


10.86 .05 .51 .03 


11.58 


7.30 


rdtok © 


2.86 .02 .16 .01 


3.10 


2.92 


read 0 


4.43 .03 .04 .03 


4.65 


6.87 


warplan © 


2.54 .04 .14 .03 


2.83 


3.18 
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details concerning other applications of backwards analysis, see [12]. The appli- 
cation described in [12] is similar to ours. There, the authors infer modes for a 
logic program which guarantee that Prolog builtins do not report instantiation 
errors. The authors note that when trying to figure out how to run programs 
written by a third party (for instance when collecting and testing that bench- 
mark programs for program analysis actually work) they typically start from 
builtins and work backwards to infer the intended modes of use for the program. 

In fact, our work can also be applied to the same task as it is natural to 
assume that the intended mode of use results in terminating computations. 
So for example where King and Lu infer the mode x \/ y for the predicate 
permutation-Sort{x,y), termination inference gives the more restrictive mode 
x; and where they infer for partition{xi, X 2 , x^, X 4 ) (in the quicksort program) 
the mode X2 A {x\ V {x^ A X4)), to guarantee termination we infer the mode xi. 
The conjunction of the two (as the intended mode of use should be both termi- 
nating and not lead to instantiation errors) gives the mode xi A X 2 (which is the 
intended mode of use) . It is interesting to note that the two backwards analyses 
can be performed together. We simply start from the conjunction of the initial 
assertions from the two applications. 

The only other work on termination inference that we are aware of is that of 
Mesnard and coauthors. The implementation of Mesnard’s analyzer is described 
in [16] and its formal justification is given in [17]. Their cTI analyzer is very 
similar to ours. The main difference is in the design. Our approach is “black 
box” , combining existing components from a standard termination checker and 
a generic backwards analysis technique. There are two main technical differences 
between the analysers: (1) when inferring the initial Boolean assertions from the 
results of the size analysis, cTI uses a more sophisticated, albeit more costly, 
technique (to detect level mappings) adapted from [18]. In practice, for the 
benchmark collection this makes almost no difference for precision but it is in 
general more powerful; and (2) In the phase where we apply backwards analysis 
implemented as a simple Prolog meta-interpreter, cTI invokes a y:i-calculus solver 
to compute the greatest fixed point of a system of equations which seems more 
complex (though equivalent) to what backwards analysis is solving. 

7 Conclusion 

We have demonstrated that backwards analysis provides a useful link between 
termination checking and termination inference. This leads to a better under- 
standing of termination inference and simplifies the formal justification and the 
implementation of termination inference. We demonstrate how putting the com- 
ponents together enables us to enhance the termination analyzer described in 
[4] to perform also termination inference. 

Acknowledgement. We acknowledge the many discussions, as well as the ex- 
change of code and benchmarks, with Andy King, Fred Mesnard and Cohavit 
Taboch. 
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Abstract. We present Timbuk - a tree automata library - which imple- 
ments usual operations on tree automata as well as a completion algo- 
rithm used to compute an over-approximation of the set of descendants 
TZ*{E) for a regular set E and a term rewriting system TZ, possibly non 
linear and non terminating. On several examples of term rewriting sys- 
tems representing programs and systems to verify, we show how to use 
Timbuk to construct their approximations and then prove unreachability 
properties of these systems. 



1 Introduction 

Term Rewriting Systems (TRSs for short) are a very simple way to describe 
functions as well as parallel processes or state transition systems where rewriting 
models respectively evaluation, progression or transitions. 

In [0], we proposed a technique for approximating the set of descendants: 
given a TRS TZ and two regular sets of terms E and F both recognized by tree 
automata, approximation of the set of descendants TZ*{E) permits, in particu- 
lar, to show the non 7?.-reachability of terms of F from terms of E. One of the 
main difference with other existing proof techniques on TRSs is that approxi- 
mations can be computed on TRSs even if they are non terminating (and non 
confluent). With regards to regular approximations used in abstract interpre- 
tation, our method does not focus on automation but, instead, it lets the user 
adapt its approximation rules to the TRS and the property he wants to verify. 
Thus, regular approximations can be more precise at the price of requiring user 
interaction. These aspects turns out to be of interest and have some practical 
applications like for the verification of cryptographic protocols [7] . 

The approximation technique, initially prototyped with ELAN j^, is now im- 
plemented in the Timbuk library jS], written in Ocaml m- This library provides 
basic primitives on non deterministic tree automata like intersection, union, com- 
plement of languages, determinisation of tree automata, as well as a completion 
algorithm for computing approximations. 

In this paper, we briefly recall the basic definitions of TRSs and tree au- 
tomata in section [21 Then, in section |2l we recall what approximations are. The 
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construction of approximation in practice with Timbuk is detailed in section |4l 
And finally, we conclude on some comparisons with other works and systems in 
section [5l 

2 Preliminaries 

Comprehensive surveys can be found in | 5I1| for term rewriting systems, in | 3I9| 
for tree automata and tree language theory. 

Let T he & finite set of symbols, each associated with an arity function, and 
let A be a countable set of variables. T(A, A) denotes the set of terms, and T(A) 
denotes the set of ground terms (terms without variables). The set of variables 
of a term t is denoted by Var(t). A substitution is a mapping cr from A into 
T(A, A), which can uniquely be extended to an endomorphism of T(A, A). Its 
domain T>om{u) is {x & X \ xu ^ x} . 

A term rewriting system TZ is & set of rewrite rules I — >■ r, where l,r G 
T(A, A), I ^ A, and Var{l) A Var(r). A rewrite rule Z — )> r is left-linear (resp. 
right-linear) if each variable of I (resp. r) occurs only once. A rule is linear if it 
is both left and right-linear. A TRS TZ is linear (resp. left-linear, right-linear) if 
every rewrite rule Z — >■ r of 72. is linear (resp. left-linear, right-linear). The TRS 
TZ induce a rewriting relation —^ 7 ^ on terms whose reflexive transitive closure 
is denoted by — The set of 72-descendants of a set of ground terms E is 
72*(A) = {tG T{T) \3 sGE s.t. s t}. 

Let Q be a flnite set of symbols, with arity 0, called states. T{EUQ) is 
called the set of configurations. A transition is a rewrite rule c ^ q, where 
c S T{J- U Q) and q G Q. A normalized transition is a transition c ^ q where 
c = q' G Q or c = f{qi, . . . ,qn), f G E, ar{f) = n, and gi, . . . e Q. A 

bottom-up non-deterministic flnite tree automaton (tree automaton for short) 
is a quadruple A = {E, Q,Qf,A), where Qf Q Q and Z\ is a set of normalized 
transitions. A tree automaton is deterministic if there are no two rules with the 
same left-hand side. The rewriting relation induced by the transitions of A (the 
set A) is denoted by — The tree language recognized by A is C{A) = {t G 
T{E) \ 3qG Qf s.t. t q}. 

3 Approximations 

Starting from a tree automaton Ao = {E, Qq, Qf, Aq) and a left-lineai0 TRS 72, 
the aim of the approximation algorithm is to compute a tree automaton Ak such 
that £{Ak) A TZ*{£{Ao)). Approximations are used to show that terms recog- 
nized by a tree automaton Abad are not reachable by rewriting terms of £{Aq) 
with 72. For this, it is enough to show that £{Ak)A£{Abad) = 0 Le., compute the 
automaton recognizing the intersection and show that the recognized language 
is empty. 

^ Approximations can also be computed for non left-linear systems with some restric- 
tions on the automaton we consider, see section [TS] 
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The technique consists in successively computing tree automata Ai, A2, ■ ■ ■ 
such that Vz > 0 : £(Ai) C £(Ai+i) and if s G £(Ai), such that s t then t G 

£(Ali+i), until we get an automaton Ak with fc G N such that £{Ak) = £{Ak+i)- 
Thus, Ak also verifies £{Ak) 3 'R,*{£{Ao))- More precisely, to construct Ai+\ 
from Ai^ we achieve a completion step which consists in finding critical pairs 
between — )>7j and — For a substitution a and a rule Z — >■ r G 7 ^, a critical 
pair is an instance la of I such that there exists q G Q satisfying la — q and 
ra q. For ra to be recognized as the same state, it is enough to join the 
critical pair: 



la 

Ai 

Y 

g 



^ ra 

n 

I 

/ 

* ^ 

. - 'Ai+i 



and add the new transition ra ^ q to Ai+i- However, the transition ra ^ q 
is not necessarily of the form /(gi, . . . , qn) -A q' and so has to be normalized 
first. For example, to normalize a transition of the form f(g(a),h{q')) -A q, we 
need to find some states gi, 52, gs and replace the previous transition by a set of 
normalized transitions: {a -A gi, g(gi) -A g2, h{q') -A q^, /(g2, ga) -A q}. 

Assume that gi , g2 , ga are new states, then adding the transition itself or 
its normalized form does not make any difference. Now, assume that gi = g2, 
the normalized form becomes {o -A gi,g(gi) — >■ gi,h(g') — >■ ga,/(gi,ga) 9 }- 
This set of normalized transitions represents the regular set of non normalized 
transitions of the form f{g*(a),h(q')) -A q which contains the transition we 
wanted to add initially but also many others. Hence, this is an approximation. 
We could have made an even more drastic approximation by identifying gi, g2, gs 
with g, for instance. 

Timbuk provides several techniques to automatise the normalization process. 
We detail only two of them: 

• One is a set of priority transitions: these are specific transitions of the 
automaton which are systematically used to simplify the new transitions before 
any user normalization is performed. For example, assume that a — >■ ga and 
g(ga) -A go are priority transitions of the automaton, then the transition of the 
previous example would be simplified into /(go, h{q')) ~A q before requiring new 
states to end the normalization. Note that the set of priority transitions has 
to be defined by the user because using such ’deterministic’ transitions (always 
normalizing the same configuration by the same state) leads to approximation 
in genera^. 



^ For example, using the set of priority transitions {a — ^ g', fe — >■ q'} to normalize the 
transition f(a) — ^ q will give the transition f{q') — ^ q which is an approximation 
of the initial transition since it represents the set of non normalized transitions 
{/(a) g, /(b) g}. 
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• A second tool for normalizing automatically new transitions are approx- 
imation rules. Approximation rules are strictly more expressiv^l than prior- 
ity transitions since they are not only tree automata transitions but rewrite 
rules with variables. The approximation rules are applied on the new transi- 
tions to normalize. The general form for approximation rules is the following: 
[s — >■ a;] — >■ — )> t Xn] where [s — >■ x] with s S T{T\JQ,X) 

and X S A U Q is a pattern to be matched over the transition to normalize 
and [Zi — x\, . . . ,ln — t x„] are rules used to normalize the left hand side of 
the new transition. The syntactical constraint for those rules is the following: 
k G T(A U Q, A) and either Xi € Qor Xi € Var(?i)UVar(s)U{x}. To normalize a 
transition of the form t — ^ q' , we match s on t and x on q', obtain a given substitu- 
tion (7 and then we normalize t with the rewrite rules l\a — > riu, . . . , /„cr — ^ Vncr 
where ricr, . . . ,rn(x should be some states. For example, normalizing a transi- 
tion 3(92)) 93 with approximation rule [f{x,g{y)) — >■ 2;] — )> [g{u) — >■ z] 

will give a substitution tr = {x 1— >■ h{qi),y 1— >■ 92,2 1— >■ 93}, an instantiated 
set of rewrite rules [g{u) — )> 93]. Thus, /(/i(9i), 9(92)) — t 9s will be normalized 
into a normalized transition 9(92) — t 93 and a partially normalized transition 
/(/i( 9 i), 93) -t 93- 

Note that, whatever the normalization may be, a safety theorem of |B] ensures 
that when the completion terminates on a tree automaton Ak, it is such that 

C{Ak) 3 n*{C{Ao)). 

4 Computing Approximations with Timbuk 

A completion step i with Timbuk, constructing automaton Ai from automaton 
Ai-i, can be divided into 5 phases: (1) automatically find some new critical 
pairs between the TRS and Ai-i, (2) automatically construct the correspond- 
ing new transitions, (3) automatically normalize the new transitions by priority 
transitions and approximation rules, (4) ask the user to provide some rules and 
possibly new states to normalize what remains to be normalized in the new tran- 
sitions, (5) automatically construct Ai by adding the normalized new transitions 
to Ai-\. 

After each completion step i, the user can choose between several actions 
(in a menu) like displaying the current automaton Ai, checking the intersection 
between Ai and some other automata recognizing the terms which should be 
proven unreachable, and an undo action to come back to the automaton Ai-i 
corresponding to the previous completion step. 

4.1 Interactive Approximation 

In the following introductory example, we compute an approximation of the 
reverse function (symbol rev defined by TRS Rl) on the regular language of 

® One may use approximation rules to simulate priority transitions but the interest 
of priority transitions lies in the fact they can be added during completion, see 
section 14.11 
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terms recognized by automaton AO i.e., rev applied to any flat lists of a’s and 
b’s where all a’s are before b’s in the list. The second automaton called Problems 
recognize a regular language of terms that should be unreachable from AO by 
rewriting with Rl: flat lists where there is at least one ’a’ before a ’b’ in the list. 
Here is the complete specification file: 

Ops nil:0 cons: 2 app:2 rev:l a:0 b:0 
Vars X y z 
TRS Rl 

app(x, nil) -> X 

app(cons(x, y) , z) -> cons(x, app(y, z)) 
rev(nil) -> nil 

rev (cons (x, y)) -> app(rev(y), cons(x, nil)) 



Automaton AO 

States qrev qlab qlb qa qb 

Description qrev: "rev applied to lists where a are before b" 
qlab: "lists where a are before b (possibly empty)" 

qlb : "lists of b (poss. empty)" qa : "symbol a" qb : "symbol b" 
Final States qrev 
Transitions 

rev(qlab) -> qrev nil -> qlab cons(qa, qlab) -> qlab 

cons(qa, qlb) -> qlab nil -> qlb cons(qb, qlb) -> qlb 

a -> qa b -> qb 



Automaton Problems 
States qlabl qlbl ql qa qb 
Final States qlabl 
Transitions 

cons(qa, qlabl) -> qlabl 
cons(qa, qlbl) -> qlabl 
cons(qa, ql) -> ql 
a -> qa 
nil -> ql 



cons(qb, qlabl) -> qlabl 
cons(qb, ql) -> qlbl 
cons(qb, ql) -> ql 
b -> qb 



The first completion step gives some new transitions and the following output: 

Adding transition: nil -> qrev ... already normalized! 

Adding transition: app(rev(qlab) , cons (qa, nil) ) -> qrev 

Do you want to give by hand some rules to normalize the transition? (y/n)? 

The first transition is already normalized and automatically added, however 
the second one has to be normalized. First, we have to And states to place 
configurations rev (qlab) and nil. Since the state qlab recognizes a list of a’s 
followed by some b’s, we intend rev (qlab) to be a list of b’s followed by some 
a’s, so let us normalize it by a new state called qlba. In fact, we define two new 
states, say qlba to normalize rev (qlab) and qnil to normalize nil, by typing the 
following commands: 

New States qlba qnil. 

♦ rev (qlab) -> qlba * nil -> qnil. 

where the * symbol preceding the transitions means that we want to install the 
following transition in the set of priority transitions. Hence, in the next com- 
pletion steps, if a new configuration of the form rev (qlab) appears, it will be 
automatically normalized into the state qlba. After giving these normalization 
rules, the transition is still not normalized. Timbuk shows the result of the nor- 
malization process so far: 

Normalization simplifies the transition into: app(qlba, cons (qa, qnil) ) -> qrev 
Adding transition: app(qlba, cons(qa,qnil) ) -> qrev 
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Once more, we are asked to give some rules for normalizing this transition. 
Since consCqa, qnil) represents a list with one a, we can create a new state 
qla to normalize it, and this terminates the normalization of the first transition. 
There remains a transition to normalize: 

Adding transition: app(rev(qlb) ,qla) -> qrev 

Since we intend that the rev function applied to any list of b’s should give a 
list of b’s we do not need to introduce any new state but simply normalize it by 
proposing the following priority transition: * rev(qlb) -> qlb. 

This terminates the first completion step. In the following six completion 
steps it is enough to successively introduce the following priority transitions to 
normalize the new transitions we are proposed and thus terminate the comple- 
tion: 

* appCqlb, qla) -> qlba * consCqb, qnil) -> qlb * appCqnil, qlb) -> qlb 

* appCqnil, qla) -> qla * rev(qnil) -> qnil * appCqla, qla) -> qla. 

Finally, from the menu it is possible to see the completed automaton which 
now contains 30 transitions and to compute the intersection with the automaton 
Problems, which gives an empty automaton meaning that applying rev to a list 
of a’s followed by some b’s cannot result into any list where there is an ’a’ before 
a ’b’. 

4.2 Debugging Term Rewriting Systems with Timbuk 

For linear TR^ by normalizing every new transition with new states, we can 
perform some exact completion steps without approximation i.e. we can compute 
a subset of reachable terms. More precisely, after the f-th completion step the 
automaton Ai is such that Vt G £(Mi) : 3s G C{Aq) s.t. s -^* t. 

The second example describes the behavior of a system of two processes that 
is supposed to count ’-I- ’and ’— ’ symbols in a list. Initially, the list is divided 
into two parts and each part is given to a single process. One process, let us call 
it P+ is supposed to count the ’-I-’ symbols and the other one, P_ is supposed 
to count the ’— ’ symbols. Each process have an incoming message queue. The 
process P+ counts ’-I-’ symbol in its list, it sends a message to process P_ each 
time that it finds a ’— ’ symbol, and reads messages in its message queue to take 
into account the ’-I-’ symbols found by process P_. The behavior of process ‘P- 
is symmetrical. This behavior can be described by the following TRS, where a 
term of the form S (pi, p2, si, s2) represent a state of the system where process 
P_i_ is in a configuration described by term pi, P_ is in a configuration described 
by term p2, and the message queues for processes Pp and P_ are respectively 
si and s2. A term of the form Procd, c) is a process configuration where its 
current list of symbols is 1 and its local counter is c. The terms o, s(o), . . . 
represent the naturals 0, 1, ... . Queues are represented by lists where the add 
symbol adds a message in the queue i.e., at the end of the list. 



Left-linearity restriction on the TRS can even be weakened, see section 14.31 
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TRS R1 

add(x, nil) -> cons(x, nil) (* add in queue *) 

add(x, cons(y, z)) -> cons(y, add(x, z)) 

S(Proc(cons(plus, y) , c) , z, m, n) -> S(Proc(y, s(c)), z, m, n) (* P+ counts + *) 

S(Proc(cons(minus, y) , c) , u, m, n) -> S(Proc(y, c), u, m, add(minus, n)) 

S(Proc(x, c) , z, cons (plus ,m) , n) -> S(Proc(x, s(c)), z, m, n) (* P+ reads a mesg *) 

S(x, Proc (cons (minus , y) , c) , m, n) -> S(x, Proc(y, s(c)), m, n) (♦ P- counts - *) 

S(x, Proc (cons (plus, y) , c) , m, n) -> S(x, Proc(y, c), add(plus, m) , n) 

S(x, Proc(z, c) , m, cons (minus ,n) ) -> S(x, Proc(z, s(c)), m, n) (♦ P- reads a mesg *) 

The initial configuration of the system is described by the following tree au- 
tomaton recognizing every configuration where the two processes have a counter 
initialized to zero, any non empty list of symbols to count and an empty message 
queue. 



Automaton AO 

States qO qinit qzero qlist qsymb 
Description 



qO 


; "initial configuration" 


qzero 


: "zero" 


qinit 


: "a process in an initial state" 






qlist 


; "any non empty list of plus and minus 


symbols" 




qnil 


; "the empty list" 


qsymb 


: "any symbol" 


Final States qO 









Transitions 

o -> qzero nil -> qnil 

plus -> qsymb minus -> qsymb 

cons(qsymb, qnil) ->qlist cons(qsymb, qlist) -> qlist 

Proc(qlist, qzero) -> qinit S(qinit, qinit, qnil, qnil) -> qO 

Assume that we want to find the proper conditions for process P_|_ (resp. P_) 
to terminate without leaving any uncounted ’-I-’ symbol (resp. ’ symbol). When 
the process ends, it returns the value of its counter: the term Stop(c) represents a 
terminated process returning the value c. An automaton Bad_state, representing 
the incorrect states of the system, recognizes all the terms of the form S(Stop(i) , 
p, full, m) and S(p, Stop(i) , m, full) where i is any natural, p is a process 
in any configuration (terminated or not), full is a non empty message queue 
and m is any message queue (empty or not). 

Assume that we naively choose to stop a process as soon as its list is empty. 
This can be done by adding the following rewrite rule to the previous TRS: 
Proc (nil, c) -> Stop(c). Since the whole TRS is linear, we can achieve some 
exact completion steps by normalizing every new transition with new states. Af- 
ter the third completion step, if we compute an intersection with the Bad_state 
automaton, we obtain a non empty intersection meaning that such a bad con- 
figuration is reachable. To avoid this bad behavior, it is necessary that each 
process additionally check that its message queue is empty before terminating. 
This can be encoded by the following rules, replacing Proc(nil, c) -> Stop(c): 

S(Proc(nil, c) , z, nil, n) -> S(Stop(c), z, nil, n) 

S(x, Proc(nil, c) , m, nil) -> S(x, Stop(c), m, nil) 

Similarly we can achieve some exact completion steps and check that the 
intersection is empty. It is the case for the three first steps but the intersection 
is no longer empty after the fourth exact completion step. This is due to the 
fact that a process P+, for example, may have an empty list, an empty queue 
and then stops while process P_ has some -I- in its list, and thus may send later 
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some messages to P+ that is already stopped. A solution consists in using a 
synchronizing message end sent by P- to P+ when P_ has reached the end of its 
list. Then, P_|_ stops only if its list is empty and the head of its queue contains 
the end message sent by P_ . The behavior of P_ is symmetrical. The set of rules 
controlling the process termination becomes: 



S(Proc(nil, c) , z, m, n) -> S(Proc(nil, c) , z, m, add(end,n)) (* P+ ends its list *) 

S(x, Proc(nil, c) , m, n) -> S(x, ProcCnil, c) , add(end,m) , n) (* P- ends its list *) 



S(Proc(nil, c) , z, cons(end,m), n) -> S(Stop(c), z, m, n) (♦ P+ stops *) 

S(x, Proc(nil, c) , m, consCend, n)) -> S(x, Stop(c), m, n) (♦ P- stops *) 



Note that that the two first rewrite rules are non terminating. We also have to 
modify the tree automaton Bad_states such that it recognizes the states where a 
process is stopped but its message queue contains at least one uncounted symbol 
’+’ or ’ and possibly some end messages. Then, starting from AO, we can 
perform some exact completion steps and check that the intersection is empty. 
After the fourth exact completion step, the completed automaton has more than 
6000 states and more than 8000 transitions, and intersection with Bad_state 
still results in an empty automaton. Thus, it is worth trying to approximate 
in order to prove that this solution is finally a correct one. Here is a possible 
approximation to add to the specification: 



Approximation Procapp 
States qlist qnil qsymb qzero qnat 
Rules [x -> y] -> [ 
o -> qzero 
s(qzero) -> qnat 
s(qnat) -> qnat 
plus -> qsymb 
minus -> qsymb 
end -> qend 
nil -> qnil 

cons (qsymb, qnil) ->qlist 
cons (qsymb, qlist) -> qlist 



qrunproc qemptyproc qterminated qend qnil_end qlist_end 
Proc (qlist, z) -> qrunproc 

Proc(qnil, z) -> qemptyproc 
Stop(z) -> qterminated 
cons (qend, qnil) -> qnil_end 
cons (qend, qnil_end) -> qnil_end 
add(qend, qnil) -> qnil_end 
add(qend, qnil_end) -> qnil_end 
add(qend, qlist) -> qlist_end 
add(qend, qlist_end) -> qlist_end 
add(qsymb, qnil) -> qlist 
add(qsymb, qlist) -> qlist ] 



In this approximation named Procapp we define a set of states (new or in 
common with AO) and a set of approximation rules. Note that the left-hand side 
[x -> y] of the rule of Procapp matches every new transition to normalize. In the 
right-hand side of the rule, we simply give all configurations or all configuration 
patterns that should be normalized into distinct states in order to be able to 
prove the property. For instance, it is important to distinguish between empty 
lists (qnil), lists with at least a symbol (qlist), empty lists with at least an end 
message (qnil_end) and lists with at least a symbol and at least an end message 
(qlist_end). Similarly, it is important to distinguish between running processes 
(qrunproc), processes with an empty list (qemptyproc) and terminated processes 
(qterminated). Thanks to this approximation, the completion process does not 
require any other normalization from the user and terminate on a tree automaton 
with 13 states and 95 transitions. The intersection between this automaton and 
the automaton Bad_state is empty and thus we have proved that all bad states 
are unreachable from the initial configurations. 
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4.3 More Expressiveness and More Detailed Approximations 

In this section, we show how to design more precise approximations to verify 
more complex rewrite specifications with Associative and Commutative (AC) 
symbols and non left-linear TRSs. Such an extended specification formalism 
is useful, for instance, to model and verify cryptographic protocols |7]- Those 
protocols are supposed to be secure in an hostile environment where an intruder 
stores every message and every key he sees, decrypts some parts, forges new 
messages with the parts he has and sends every possible message in its store in 
order to attack some agents. We can model the intruder store using a term built 
with an Associative Commutative (AC) symbol store, where for example the 
term storeCa, store(store(b, a), c)) represents the multiset ^a,a^b,c^. The 
terms pubkey(x), privkey(x), encr(k, c), and cons(x, y) represent respectively 
the public and private key of an agent x, the encryption of c using the key k and 
a message composed of two parts x and y. We can model some of the message 
constructions that an intruder can do on its store, like it is done for example 
in [E]: 

(* The intruder Ccin encrypt any stored component with any stored key *) 
storeCz, pubkey(x)) -> store (encr (pubkey (x) , z) , storeCz, pubkey(x))) 
storeCz, privkey(x)) -> store (encr (privkey (x) , z) , storeCz, privkey(x))) 

(* The intruder Ccin decompose or compose any component he has *) 
store(cons(x,y) , m) -> store(store(cons(x,y) , m),store(x, y)) 
storeCx, y) -> store(cons(x, y) , store(x,y)) 

The rules encoding the AC behavior of the store symbol are also necessary: 

StoreCx, y) -> storeCy, x) 

storeCstoreCx, y) , z) -> storeCx, storeCy, z)) 

StoreCx, storeCy, z)) -> store(store(x, y) , z) 

Note that those rules are highly non terminating, we thus have to define 
strong approximation rules. When using AC symbols are simply used for repre- 
senting sets of objects, a quite natural approximation rule for the store symbol 
is the following: [storeCx, y) -> z] -> [x -> z y -> z] . This rule normal- 
izes every new configuration of the form store (s , t) -> q (where s and t are not 
states) into configurations s -> q, t -> q and store (q, q) -> q. The intuition 
behind this rule is that every ’subset’ x and y of the store storeCx, y) should be 
recognized by the same state as storeCx, y). 

We have represented some of the intruder manipulations but our specification 
still lacks decryption of encrypted components for which the intruder has the 
decryption key. To describe this behavior, we need non left-linear rules in order 
to check the correspondence between stored keys and the key that was used to 
encrypt the message: 

storeCencrCprivkeyCx) ,z) , pubkeyCx)) -> store(encr(privkey(x) ,z) , store (pubkey (x) ,z)) 
store (encr (pubkey (x) ,z) , privkey(x)) -> store (encr (pubkey (x) ,z) , store(privkeyCx) ,z)) 

This encodes the fact that to decrypt a message encoded with the private 
key of an agent x, the intruder should have in its store the public key of x, and 
vice versa. In 0 , we have defined a sufficient constraint on the automaton such 
that completion with non left-linear rules still gives an over-approximation of 
reachable terms. Roughly, the constraint on the automaton Ai is the following: 
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for every rule I — >■ r whose left-hand side has a non linear variable x, for every 
substitution a and every state q such that la — q there exists a unique q' such 
that xa — q' . The state q' is called a deterministic state. Going back to the 
two rewrite rules of our example, this means that we have to ensure that terms 
matched by the variable x are recognized by deterministic states. Since terms 
matched by x should be agents, all we have to ensure is that during completion 
all terms representing agents are recognized by deterministic states: this can be 
ensured by the choice of appropriate approximation rules or priority transitions. 
For example assume, that we represent agents by terms of the form agent (i) 
where i is a natural. Then the following approximation rules should make the 
state qagt deterministiJl: 

[x -> y] -> [o -> qnat s(qnat) -> qnat agent (qnat) -> qagt] 

The state qagt is deterministic but it contains all agents. However, using 
the same technique it is possible to have any variety of regular categorization 
of agents, for example: two distinct agents A and B, a server S, an unbounded 
number of other honest agents and an unbounded number of dishonest agents: 

[x -> y] -> [o -> zero s(zero) -> one s(one) -> two 

s(two) -> qodd s(qodd) -> qeven s(qeven) -> qodd 

agent (zero) -> qA agent (one) -> qB agent (two) -> qS 

agent (qodd) -> qHonnest agent (qeven) -> qDishonnest ] 

In the context of cryptographic protocols, deterministic states are also use- 
ful for a precise normalization of all the new transitions generated by the 
protocol specification. For instance, assume that the intruder obtains a new 
piece of information: let encr (pubkey(qA) , consCml, cons(m2, m3))) -> qstore 
be the new transition to be added, where qA is the deterministic state recog- 
nizing only the agent A and qstore the state recognizing all the store of the 
intruder. If we use a too drastic normalization rule of the form: [x -> y] -> 
[z -> qstore] then messages components ml, m2, m3 are likely to be normal- 
ized into state qstore and thus available to the intruder in spite of their en- 
cryption by pubkey(qA). A normalization rule of the form: [encr(x, y) -> z] 
-> [y -> qprotected] avoids this problem but normalizes the content of every 
encrypted component by the same state qprotected, and thus makes no dif- 
ference between a secret known by A, B or any other agent. A correct solution 
is for example: [encr (pubkey(qA) , y) -> z] -> [y -> qAsecret] which produces 
the normalized transitions encr (pubkey(qA) , qAsecret) -> qstore and cons (ml , 
cons (m2, m3)) -> qAsecret. If order and number of messages ml, m2 and m3 are 
not important for the verification of the property, it is either possible to collapse 
the structure of the message by adding the following approximation rule: [x -> 
qAsecret] -> [y -> qAsecret] which normalizes every subterm of the configu- 
ration matched by x with the unique state qAsecret, for every new transition 
matching [x -> qAsecret] . Thus, every message component remains secret but 
the message structure has been lost. More details about proving cryptographic 
protocols properties with our approximation technique are given in [Zj. 

® For safety, this can also be checked during completion by computing intersections 
between the states matched by non linear variables. This is another action proposed 
by the user menu. 
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5 Conclusion 

In this article we presented the Timbuk tool and its completion algorithm to 
construct approximations of the sets of descendants. Whereas many tools prove 
some properties on TRS under strong restrictions on the TRSs, approximations 
permit to prove some unreachability properties on non linear TRSs that are non 
terminating and may contain some AC symbols. Properties that can be proved 
are only ’regular’ properties but are of practical interest for instance in the case 
of cryptographic protocols. Furthermore, we have presented here some new tools 
- priority transitions and approximation rules - in order to make approximation 
construction more intuitive and more automatic. 

Although we focus on approximation, for some classes of TRSs and regular 
languages E, TZ*{E) is regular and can be exactly recognized |9|10j . But those 
classes are very restrictive if we intend to use TRS for specification in general. In 
spite of this, D. Monniaux m has shown that even some simple decidable classes 
can be used to model some intruder knowledge for cryptographic protocol verifi- 
cation. A more recent regular class was found by P. Rety m where restrictions 
are weker on the TRS and stronger on the regular language E which is restricted 
to data terms. Nevertheless, the restriction on the TRS is still strong w.r.t. a 
specification language since it forbids, in particular, nested function symbols. As 
a result, all the examples of this paper, are still out of the scope of an exact 
computation of TZ*{E). However, we think that it is worth integrating results 
of [16] in Timbuk for proving reachability in addition to unreachability. 

In El, some approximations based on tree languages are proposed: for 
higher order functional programs transformed into term rewriting systems in m 
and for imperative and functional first order programs in [4j. In both, the aim 
is to achieve static analysis and thus the priority is given to automation: for 
ensuring termination, the approximation methodology is fixed and there is no 
user control over the approximation rules. Moreover, the approximation of m 
and the widening of |H section 6.1] could not be used in our context since they 
loose relational information. In particular, if many new transitions with left-hand 
side of the form encrCpubkey (A) , ml), encr (pubkey (B) , m2), . . . are produced by 
the same rewrite rule, they are all normalized using the same states. Then ml 
will share a common state with m2 and thus ml will be no longer secret for B and 
vice versa. 

As far as we know, two other distributed tools also implement tree automata: 
Mona & Fido [12j and RX [Uj. In Mona & Fido, tree automata are essen- 
tially an internal data structure (deterministic binary tree automata optimized 
with BDDs) used to decide WSIS and WS2S logics. In R5^ like in Timbuk, 
the user can describe regular languages in the usual way using deterministic 
or non-deterministic grammars, and then compute some intersections, unions, 
differences between those languages. However, like Mona & Fido, RX was de- 
signed for a purpose very different from Timbuk and thus does not implement 
approximations . 



which was designed to prove some termination theorems in combinatory logic. 
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Abstract. The basic task of binding-time analysis (BTA) is to compute 
annotations that guide the unfolding decisions of a specialiser. The main 
problem is to guarantee that the specialisation will terminate. In the 
context of logic programming, only few automatic such analyses have 
been developed, the most sophisticated among them relying on the result 
of a separate termination analysis. In this work, we devise an analysis 
that generates the annotations during termination analysis, which allows 
much more liberal unfoldlngs than earlier approaches. 



1 Introduction 

Partial evaluation is a well-studied source-to-source transformation, capable of 
specialising a program P with respect to a part s of its input. The result is 
a program Pg that computes, when provided with the remaining part d of the 
input, the same result as the original program P on the complete input s and d. 
The general effect of partial evaluation is that the computations performed by 
a program are staged: some (ideally all) operations in P that depend only on s 
are performed by the specialiser; the remaining computations (those depending 
on d) by the residual program Pg. Partial evaluation can be used to speed up 
the computation of a program, in particular when the program must be run a 
number of times while part of its input (the part denoted by s) remains con- 
stant. Indeed, using partial evaluation, the computations depending on s need 
to be performed only once to construct Pg, which can then be run any number 
of times with different inputs d. The heart of any partial evaluator is an evalu- 
ation mechanism for the language under consideration. In a logic programming 
setting, “evaluation” of a program corresponds to building an SLD-tree for a 
program/query pair (P,Q). If the program terminates, the corresponding SLD- 
tree is finite. In this setting, partially available input corresponds to a query Q' 
that is less instantiated than Q. Due to the nature of logic programming, the 
program could, in principle, simply be evaluated with respect to Q' . Most likely, 
however, the SLD-tree built for (P, Q') will be infinite. Indeed, if the control 
flow is determined by a value that is unknown in (P, Q'), SLD-derivations of 
infinite length may be created resulting in a non-terminating specialisation pro- 
cess. Instead of building such a possibly infinite SLD-tree, a partial evaluator for 
logic programs builds a finite number of finite SLD-trees that together cover the 
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complete computation for {P, Q') [Mj . The resulting SLD-trees are partial, in 
the sense that, while building the SLD-tree, the partial evaluator unfolds some 
predicate calls whereas it does not unfold others. The predicate calls that are 
not unfolded are said to be residualised - they will appear as code in the residual 
program. 

Most work on partial evaluation in logic programming concentrates on the 
so-called on-line approach m-- during the construction of a partial SLD-tree, 
the partial evaluator selects each call occurring in an SLD-derivation and decides 
whether or not to unfold it; usually basing its decision on the structure of the 
SLD-tree built so far. In the off-line approach on the other hand, the program is 
first analysed by a so-called binding-time analysis (BTA) . Binding-time analysis 
is a global analysis that takes a program and (an abstraction of) the query and 
generates an annotated version of the original program, in which every predicate 
call is accompanied by an instruction stating whether or not instances of this 
call must be unfolded. The actual specialiser builds the partial SLD-trees sim- 
ply by following the instructions generated by BTA. While in general an on-line 
partial deduction system can achieve better results than an off-line system, the 
off-line approach also offers a number of advantages. First of all, the separa- 
tion of the process in a binding-time analysis followed by a specialisation phase 
makes the process conceptually easier to reason about, and results in a fairly 
simple (and efficient!) specialiser from which the burden of continuously moni- 
toring the evaluation process has been removed. Also, the analysis output can 
be represented by annotations on the original source program, and provides as 
such excellent feedback to the user providing clues to why an optimisation was 
(not) performed. In spite of these advantages, only few efforts have been made 
to construct an off-line partial evaluator for logic programming, in particular 
m and [2]. Both approaches require, however, the binding-time analysis to be 
performed by hand. In previous work m, we have developed a binding-time 
analysis for the strongly moded logic programming language Mercury. Adapting 
such an analysis to an unmoded language is far from trivial. To the best of our 
knowledge, the first serious attempt to create an automatic binding-time analysis 
for pure logic programs is |3]. The analysis advocates the use of termination con- 
ditions to decide what predicate calls can safely be unfolded. These conditions 
must, however, be created by hand or be derived by a separate termination anal- 
ysis which imposes some serious restrictions on the unfolding possibilities as we 
will demonstrate further on. In this work, we generate the necessary annotations 
during termination analysis, which will allow for much more liberal unfoldings 
during specialisation. 

The remainder of this paper is organised as follows: in Section [2] we moti- 
vate our work by demonstrating the need for a more refined control mechanism 
than the use of termination conditions alone. In Section |3] we adapt an existing 
termination analysis to our needs and develop the actual binding-time analysis. 
Section|4]reports on a prototype implementation of the analysis and we conclude 
in Section [5l 
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2 The Role of Termination in Binding-Time Analysis 



The basic task of binding-time analysis is to annotate every predicate call in a 
program as either static or dynamic such that constructing an SLD-derivation 
by unfolding the statically annotated calls - leaving the dynamically annotated 
ones as they are - terminates for every call that may occur during specialisation. 
As was suggested before in the literature |3I7J . it seems natural to base the 
decision whether or not to unfold a predicate call on the termination properties 
of the particular call. The motivation is obvious: if it can be shown that the 
(specialisation-time instance of the) call terminates under normal evaluation, the 
call can safely be annotated as static, since unfolding it during specialisation will 
terminate. First, we take a closer look at how the termination properties of a call 
can be expressed; next, we discuss the use of such properties for binding-time 
analysis. 

The condition under which a call is guaranteed to terminate is usually ex- 
pressed in terms of the degree of instantiatedness of the call’s arguments, mea- 
sured with respect to a given norm. Such a norm is a function that maps a term 
to an expression that approximates the “size” of the term. Two examples of fre- 
quently used norms are the termsize norm, denoted by ||.||ts, which counts the 
number of functors in a term, and the listlength norm, denoted by ||.||n which 
counts the number of elements in a list. 



1 + EiLi iit = 

t if t is a variable 



l-b||Xs||„ iit = [X\Xs] 
t if t is a variable 

0 otherwise 



Note that the norms are symbolic as they map a term to a value that can 
possibly include variables. An occurrence of a variable A1 in a symbolic norm 
means the “size” of X with respect to the given norm. 

Example 1. 



II /(a, b, g{c)) ||ts = 5 II /(a, b, g{c)) ||a = 0 

II [Xi,X2,X3l \\ts=i + Xi+X2+X3 II [Xi,X2,X3] ||„ =3 

II [Xl,X2\X3] \\t.=2 + X3+X2+X3 II [Xl,X2\X3] \\ll = 2 + X3 

If a norm maps a term to an expression that does not contain variables, the term 
is said to be instantiated enough: 

Definition 1. (From }[13f ) A term t is instantiated enough with respect to a 
symbolic norm ||.|| if ||t|| is a ground term. 

In Example m the term [Xi, X 2 , X 3 ] is instantiated enough with respect to the 
listlength norm (since || [Xi,X 2 , X 3 ] ||n = 3), but not with respect to the termsize 
norm (since || [Xi, X 2 , X 3 ] ||ts = 4 + Xi + X 2 + X 3 , the latter expression still 
containing variables). This characteristic can be used to define the conditions 
under which a call to a predicate terminates. For example, a call to the well- 
known append/3 predicate can be shown to terminate when either its first or its 
third argument is instantiated enough with respect to the listlength norm. 

To the best of our knowledge, the only automatic binding-time analysis for 
unmoded logic programs that incorporates termination conditions is [3j. It uses 
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a Pos-based analysis to compute a safe approximation of what arguments in a 
predicate call will be instantiated enough during specialisation and combines 
this information with the termination condition of the called predicate in order 
to annotate the call as either static or dynamic. The approach is appealing as 
it separates the actual analysis from the construction of termination conditions, 
which can be given by the user or automatically derived by a separate termi- 
nation analysis (like e.g. [15]). However, basing the decision to unfold a call on 
the termination characteristics of the call imposes considerable restrictions on 
the unfolding possibilities. The fact that a call is marked static only in case it 
terminates implies that only calls that can be completely unfolded to true or fail 
are unfolded. While this approach might be appropriate for some applications, it 
is not for general logic programs. Consider the following example, implementing 
a simple Vanilla meta interpreter. 

Example 2. Consider the meta interpreter depicted in Fig. [I] The interpreter 
has the member/2 and append/3 predicates as object program. The clauses are 
numbered for later reference. 

1 : solve ( [] ) . 

2 : solveC [A I Gs] ) : - solve_atom(A) , solve(Gs). 

3 : solve_atom(A) : -clause (A, Body) , solve (Body) . 

4 : clause (member (X,Xs) , [append (_, [X I _] ,Xs)] ) . 

5 : clause (append( [] ,L,L) , [] ) . 

6 : clause (append ( [X I Xs] , Y, [X I Zs] ) , [append (Xs , Y, Zs)] ) . 

Fig. 1. Vanilla meta interpreter 

Assume we want to specialise the meta interpreter from Example |2I with respect 
to the query solve ( [member (X,Xs)] ) in order to remove the interpretation 
overhead and to obtain the object-level definitions of member/2 and append/3. 
Any sensible termination analysis will indicate possible non-termination for this 
query, the reason being of course that, since an object level call member(X,Xs) 
does not terminate, neither will the meta call solve ( [member (X,Xs)] ). Hence, 
if we take termination of a call as its unfolding condition, no call to solve/ 1 
will be annotated static by the analysis and consequently no such call will be 
unfolded during specialisation, resulting in a program that is far from optimally 
specialised. 

Intuitively, however, we can see that it is perfectly safe to unfold all calls 
to the solve/1 predicate as long as the intermediate calls to solve_atom/l are 
residualised. The idea is that the solve/ 1 predicate in a sense only performs 
the parsing of an object goal (deconstructing a list of object atoms), which is 
terminating in Example |2] and could hence be performed during specialisation. 
Thus, residualising the calls to solve_atom/2 and unfolding the others results 
in the specialised program depicted in the left-hand side of Fig. [2] Applying a 
standard structuring filtering transformation [Sj results in the program depicted 
in the right-hand side which corresponds with (a renaming of) the traditional 
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solve ( [member (X,Xs)] ) : - 

solve_atom(member(X,Xs)) . 

solve_atom (member (X,Xs) ) 

solve_atom(append(A, [X I _] , Xs)). 
solve_atom(append( [] , [X I B] , [X I B] ) ) . 
solve_atom(append( [E I Es] , [X I B] , [Z I Zs] ) ) : - 
solve_atom(append(Es , [X|B], Zs)). 



solve ( [member (X,Xs)]) 
sa_mem(X,Xs) . 

sa_mem(X,Xs) 

sa_app(A, [X| _] ,Xs) . 

sa_app( [] , [X I B] , [X I B] ) . 
sa_app( [E I Es] , [X I B] , [Z I Zs] ) : - 
sa_app(Es, [X|B], Zs) . 



Fig. 2. Specialised Vanilla 

member /2 and append/3 predicates. This example illustrates the need to be able 
to partially unfold a call: building a derivation in which some of the selected 
atoms are unfolded while others are residualised. 

The question remains how to derive annotations that imply such behaviour 
during specialisation. Clearly, using the results of a separate termination anal- 
ysis is insufficient, since these analyses assume that all intermediate calls are 
unfolded. Yet termination of such partial unfolding remains an important issue. 
In what follows, we try to merge these observations, and develop a binding-time 
analysis that does not incorporate the results of a separate termination analy- 
sis, but is rather constructed by modifying a termination analysis, such that it 
takes the effect of residualising calls into account during the termination anal- 
ysis. Consequently, the resulting analysis no longer proves termination of plain 
evaluation of a call, but rather termination of partial evaluation of the call. 

3 From Termination Analysis to Binding-Time Analysis 

The general idea behind our binding-time analysis is as follows: assume that we 
want to annotate a program P for specialisation with respect to a query Q. If 
termination of Q with respect to P can be proven, then every call in the program 
can safely be annotated static and specialisation boils down to plain evaluation. 
If, on the other hand, termination could not be proven, we use the termination 
analysis to indicate due to what call in the program termination could not be 
proven and mark the call dynamic. Next, we rerun the termination analysis, 
now taking the fact that the dynamically annotated call is not unfolded into 
account. The process is repeated until enough calls are annotated dynamic such 
that termination of the specialisation is proven. In what follows, we first adapt 
an existing termination analysis such that, if it is unable to prove termination, 
it pinpoints a call in the program due to which termination could not be proven; 
next we develop the actual binding-time analysis. 



3.1 Enhancing Termination Analysis 

We assume some familiarity with the basic issues in (automatic) termination 
analysis of logic programs. See for an overview. As usual, we refer with the 
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notion of “termination” of program to its termination with respect to the left- 
to-right selection rule. In what follows, we focus in particular on the concepts 
and terminology of [4], as this work provides the necessary foundations for our 
binding-time analysis. Given a symbolic norm ||.||, we define the abstraction of 
a program with respect to ||.|| as the program that is obtained by replacing each 
term t in the program by ||t||. 

Example 3. Consider the append/3 predicate and its abstraction with respect 
to the list-length norm ||.||i/ in Figure El 



append 


abstract append/3 w.r.t. ||.||ii 


append(X,Y,Z) X= [] , Y=Z. 

append(X,Y,Z) X=[E|Xs], Z=[E|Zs], 

append(Xs,Y,Zs) . 


append (X,Y,Z) 
append (X,Y,Z) 


- X=0, Y=Z. 

- X=l+Xs, Z=l+Zs, 
appendCXs , Y, Zs) . 



Fig. 3. The listlength abstraction of append/3 



For simplicity, we assume a normalised representation of clauses in which the 
head of a clause contains only distinct variables; all unifications are thus ex- 
plicit in the body of the clause. An abstract program is formally defined over a 
first order constraint logic programming language denoted CLP (A/"). Constraints 
in CLP(Af) are conjunctions of the relations {=,<,>,<,>} on terms T con- 
structed from the program’s variables and the set of function symbols NU{-|-/2}. 
For two atoms A = p(ti, . . . ,tn) and B = p{t[, . . . , t'^), we use A = B as a,n ab- 
breviation for the constraint /\^^i{ti = t'). A clause in CLP (A/”) is of the form 
H ^ pL, Bi, . . . , Bn where ^ is a constraint and H,Bi, . . . , Bn are atoms con- 
structed from the program’s predicate symbols and T. For a program P, we 
denote its abstraction with respect to the norm ||.|| by P||.||. We assume that 
each clause in Py y has a unique number associated with it and where appropri- 
ate, we denote with i : C the clause C with number i. Computations in CLP(AZ') 
are performed over N with the standard interpretations for {=, <, >, <, >}. 

We follow the approach of |3], and compute a finite approximation of the 
abstract binary unfoldings semantics of a program P. The abstract binary un- 
foldings semantics of P consists of a (possibly infinite) set of abstract binary 
clauses. Where the abstract program expresses existing relations on the size of 
the arguments in the program, the associated abstract binary clauses express 
relations on the sizes of the arguments in subsequent calls that can occur in Py.y. 
We slightly adapt some definitions of |4] to enable the analysis to produce the 
more detailed information required for our binding-time analysis. A first defini- 
tion is that of a binary clause, which we generalise to the notion of a labelled 
abstract binary clause. 

Definition 2. A labelled abstract binary clause is a clause in CLP(J\f ) that is 
either of the form pi, or H ^4^ pL, B where i,j € N. The set of all such binary 
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clauses is denoted by BC. A clause of the first form, H ^ fi is also referred to 
as a labelled constrained atom. 

The set of labelled abstract binary clauses of a program Py y is defined as the 
least fixed point of the operator Pp'' defined in Definition The Tp^' operator 
is adapted from |1] such that it associates a label to each constructed binary 
clause, referring to how the binary clause was constructed. In what follows, we 
will often simply refer to “binary clauses” when we mean effectively “abstract 
labelled binary clauses” . Also, we will drop the label from a binary clause when it 
is unimportant. In Definition[31 3vitJ-o) denotes the projection of a constraint fio 
onto a set of variables V and Id denotes the set of identity binary clauses, these 
are clauses of the form p{Xi, . . . , Xn) ^ p{Xi, . . . , X„). Unfolding an atom with 
respect to an identity clause results in the atom itself. We furthermore assume 
that clauses are renamed apart wherever appropriate. 

Definition 3. Pp'' : p{BC) >->■ p{BC) is defined as 



/ 


C % . H i fJ>Q , , . . . , Bjyi € . II , 1 ^ ^ 




{Ak ^ G I, 


h¥-p,b 


Aj ^ Pj, B G I U Id, j < m ^ B true 




p = Pq A l\}^—i{pj A {Pfc = ^fc}) 




h' ^vars{{H,B))ih ) 



Given a set of binary clauses I, Pp^' (/) is a new set of binary clauses constructed 
by unfolding prefixes of clauses in Py , y . If P t— /i. Pi , . . . , Pm is a clause in Py . y , 
for each 1 < j < m, the body atoms Pi, ... , Pj-i are unfolded with respect to 
constrained atoms in I and the corresponding instance of Bj is unfolded with 
respect to a binary clause Hj p,j,B {B ^ true) from I U Id. Note that the 
use of the identity clause to “unfold” Bj results in a binary clause of the form 
P •«— /r, Bj (which expresses that a call unifying with /i, P results in a call 
unifying with p,Bj). Constrained atoms are allowed to unfold Bj only in case 
j = to; indeed, an answer is obtained only in case all body atoms are unfolded 
by a constrained fact. Note that the label associated to a clause constructed by 

1 1 1 1 ^3 

Tp carries information on how the clause was constructed: a clause H I- p,,B 
is created by resolving the j — I leftmost body atoms of the i’th clause of Py y 
with constrained atoms and the j’th atom with a binary clause. 

In general, the least fixed point of Pp lfp(Pp^') is an infinite set of binary 
clauses, as illustrated in the next example (from [1]). 

Example 4- Reconsider the append/3 predicate from Example [HI The abstract 
binary unfoldings are computed as in Fig. [4] 

To obtain a finitary analysis, different approaches exist to further approximate 
the abstract domain. 
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(1) (r]i'ii)i(0) 



(2) (r|- 11)2(0) 



(3) (rj,- 11)3(0) 



' appendix, Y,Z)\^ X ^0,Z = Y.' 

2 1 

appendix, Y,Z)<X 

X = l + Xs,Z = 1 + Zs, 
appendix s, Y, Zs). 

' appendix, Y, Z) ^ X = 1, Z = 1 + Y. 

2 1 

appendix, Y, Z) d- 

X = 2 + Xs,Z ^2 + Zs, 
appendix s,Y, Zs). 

' appendix, Y, Z)l^ X = 2, Z = 2 + Y. 

2 1 

appendix, Y, Z) d- 

X = 3 + Xs,Z ^3 + Zs, 
appendix s, Y, Zs). 



> U (tJ,-")1(0) 

> u (tJ,-iI)2(0) 



Fig. 4. Computing the abstract binary unfoldings. 



Example 5. Reconsider the abstract binary unfoldings of append/3 from Exam- 
pleUl Further abstracting using polyhedral approximations [2] (thereby arbitrar- 
ily keeping one of the involved labels) results in the set 



lfp(T]l'") 



' appendix, Y, Z) Z = Y + X.' 
2 1 

appendix, Y, Z) 

Xs <X,Zs< Z, Fs = Y, 
appendix s, Y s, Zs). 



The binary clauses capture size relations that exist between the arguments of 
subsequent predicate calls. In order to be useful for termination analysis, these 
size relations must be combined with instantiation information, that specifies 
which of the arguments are instantiated enough with respect to the norm under 
consideration. Such instantiation information is obtained by a standard ground- 
ness analysis on the abstracted program. In what follows we consider, as in [3], 
an abstract domain that combines size relations and instantiation information. 
We denote with mgu“ the abstract most general unifier over this domain, and 
denote with Ri the equivalence of syntactic objects. For a program P, we de- 
note with Bp the finite set of abstract binary clauses which approximates, with 
respect to some given abstraction, lfp(Tp^^) over the combined abstract domain. 

In termination analysis, one is interested in the termination behaviour of a 
specific call with respect to the given program. First, we define the abstrac- 
tion of a call piti, . . . ,tn) with respect to a norm ||.|| as ||p(ti, . . . , t„)|| = 
p(||ti||, . . . , ||t„||). The (possibly infinite) set of calls that arise during compu- 
tation of an initial call Q in P can be approximated by a finite set of abstract 
calls, calls piQ), which is determined as follows: 
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Definition 4. Given a program P, an abstract initial call Q and a finite set of 
abstract binary clauses Bp approximating Z/p(Tp'^). 



callsf,{Q) 



Be 



H ^B€Bp, \ 
9 = mgu°{Q, H) J 



The work of [1] defines a sufficient condition to show termination of a call Q 
with respect to a program P. Given a finite approximation Bp of lfp(Tp^^), it is 
sufficient to show for each call C G calls p{Q) a strict decrease in size from the 
head to the single body atom for all recursive clauses of Bp that unify with the 
call C. Adding labels to the abstract binary clauses enables one to reformulate 
the termination condition of [3] at the level of the original clauses of P. To that 
end, we introduce the notion of a clause being loop safe in one of its body atoms. 
Intuitively, if we say that a clause H Bi, , Bn is loop safe in its Tth body 
atom with respect to a set of (abstract) calls S, this means that none of the calls 
in S unifying with p[ will spawn an infinite derivation through (instances of) 
this body atom. 



Definition 5. Given a program P, a set of abstract calls S and a finite approx- 

1 1 1 1 '^3 

imation Bp oflfpifTp). Assume there exist a binary clause (3 = H G- p,, B € Bp 
and a call C G S such that 9 = mgu°^{H, C) and B9 ps C. Let i\, . . . ,ik be the 
argument positions that are instantiated enough both in H9 and B9. We denote 
these arguments by (H9)p , . . . , {H9)i^. and {B9)i .^, . . . , (B9)i^. We say that the 
clause i of P is loop safe with respect to S in body atom j if for each such P G Bp 
and C G S there exists a function f such that 



p h f{{H9)n,- ■ ■ , {H9fJ > f{{B9)p ,. . . , {B9PJ. 

Note that Definition [H takes only those (abstract) calls and binary clauses into 
account such that applying the most general unifier of the head of the clause 
and the call on the body atom results in a recursive call with an equivalent 
call pattern. See [3| for details on why this is sufficient. Given Definition El from 
above, we define for a clause i of P and a set of abstract calls S, 

LSpg = { j|the clause i is loop safe w.r.t. S in body atom j } 



Example 6. Let P denote the program consisting of the append/3 predicate with 
the abstract binary unfoldings from Example Eland let Q denote the abstracted 
initial call append (0,Y,Z). This call unifies (through mgu“) only with the head 
of the binary clause labelled (1, 1), since unification of append(0,Y,Z) with the 
other clause, labelled (2, 1), fails due to the fact that the size constraints are not 
satisfied since no Xs < 0. Hence, we have that both clauses of append/3 are 
loop safe with respect to 5" = callsp{append{0,Y, Z)) = {append{0,Y, Z)} . Or, 
we have that Is ], 5 = 0 and LS'p 5 = {!}. 

An important result from [3j can now be reformulated as follows: Given a pro- 
gram P and initial goal Q, if each clause of P is loop safe with respect tot 
callsf(Q) in each of its body atoms, then Q terminates with respect to P. 
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3.2 From Termination Analysis to Binding-Time Analysis 

Recall that we want to enable the termination analysis to indicate why termi- 
nation of a program cannot be proven. We therefore define the notion of the 
leftmost possibly looping atom of a clause as the leftmost atom of the clause for 
which the termination analysis cannot prove that it is loop safe. 

Definition 6. Consider a program P, a set of abstract calls S and a finite ap- 
proximation Bp of lfp{Tp^^). Let H ^ Bi, . . . , Bn be the i’th clause of P. We 
define its leftmost possibly looping body atom as follows 



LLJLps = 



min{{l , . . . , n} \ LSp g) if ({1, • ■ • , n} \ LSp g) ^ 0 
undefined otherwise 



Example 7. Let P denote the program consisting of the append/3 predicate with 
the abstract binary unfoldings from Example El and let Q denote the abstracted 
initial call append (X,0,Z) and S = calls p{Q). Although we still have that 
LSpg — 0, we also have that LS%g = 0. Indeed, the second clause in the 
append program is not loop safe with respect to S in its only body atom, due to 
the existence of the binary clause labelled (2, 1) (see Example EJ. Unifying this 
clause with the call append (X,0,Z) results in the binary clause 

append{X,Q, Z) ->r- append{Xs,0, Zs). 

Only the second argument of both atoms is instantiated enough, and there does 
not exist a function / such that X > Xs,Z > Zs \= /(O) > /(O). Hence, we 
have that LLA^p 5 = 1 . 

In general, finding the leftmost looping atom of a clause (if it exists) is an unde- 
cidable problem. In practical systems, however, the function / in Definition is 
fixed, and is usually defined as a linear combination of the involved arguments. 
When / is fixed, the test of Definition can be evaluated, and consequently 
the sets LSpg and LLAp g can be computed. For any clause i in P, LLA^p g 
provides a safe approximation of the leftmost looping atom in the clause, since 
it is guaranteed that no atom to its left can be looping, when the program is 
evaluated with respect to an initial call Q and S = callsp{Q). 

Now, we have developed the necessary machinery to define the binding-time 
analysis, which requires annotating the atoms in each of the program’s clauses. 
Annotating the body atoms of a clause usually consists of adding a label to 
each atom, specifying whether the atom is unfolded during specialisation, or 
residualised. In this work, however, we focus on the termination aspects of the 
unfolding, and hence employ a slightly different notion of annotations. In what 
follows, we simply replace atoms that should be residualised by true. Doing so 
permits one to study the termination behaviour of a specialiser that simply 
unfolds the static atoms (and generates code for those that are residualised) 
by studying the termination behaviour of the annotated program under normal 
evaluation. 
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Definition 7. Given a clause H •<— , Bn, an annotated version of the 

clause is a clause H ->r- B[, . . . , B'n, where for each i such that 1 < i < n, it 
holds that either B[ = B^ or B[ = true. An annotated version of a program 
P = Uj Ci is a program P' = [J^ C[ such that for every such clause Ci, it holds 
that C\ is an annotated version of Ci . 

Note that, according to Definition|71 every clause is an annotated version of itself. 
When annotating a program, one generally wants to mark as many atoms static 
as possible, while guaranteeing termination of the unfolding. This is the main 
idea behind the analysis presented in this work. Suppose we have to annotate a 
program P with respect to an initial call Q. If we can prove that Q terminates 
with respect to P, the annotated version of P is simply P itself (every atom is 
annotated static). Hence, during specialisation, the goal Q will be completely 
unfolded, and specialisation of Q boils down to plain evaluation of Q in P. If, 
on the other hand, termination of Q with respect to P can not be proven by 
our analysis, at least one of P’s clauses must have a leftmost looping atom, 
and we mark this atom dynamic (by replacing it by true in P). This process 
is repeated until the annotated program is loop safe. This is the main intuition 
behind the algorithm for binding-time analysis which is depicted in Fig.[^ Note 

Given a program P and initial call Q. 

Let Pq = P, So = callsf{Q), k — 0. 

repeat 

if there exist a clause i in P^ such that LLA^p^ g^ = j 
then 

let Pk+i be the program obtained by replacing the ji’th 
body atom in the i’th clause in Pk by true and 
let 5'fe+i = SkU callsf,^^^ (Q) 
else 

Pk+l = Pk 
fc = fc + 1 
until Pk = Pfc-i 
P' = Pk, S' = Sk 

Fig. 5. The BTA algorithm. 

that the algorithm is non deterministic: if several clauses i exist in Pk for which 
LLA'p^ is defined, one of these atoms must be selected for replacement by 
true. Also note the construction of the set S'\ starting from the program’s initial 
abstract callset Sq, the abstract callset of the annotated program is added in 
each round of the algorithm. Doing so guarantees that the calls that are unfolded 
are correctly represented by an abstract call in S' , but it also ensures that S' 
contains abstractions of the (concrete instances of the) calls that were replaced 
by true during the process. In other words, the set S' contains an abstraction of 
every call that is encountered (unfolded or residualised) during specialisation of 
P with respect to the initial call Q. 

Termination of the BTA algorithm is straightforward, since in every iteration 
an atom in a clause is replaced by true, and the program only has a finite 
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number of atoms. The result of the algorithm includes a logic program P' with 
respect to which evaluation of any call that is abstracted by a call in the set S' 
terminates. This is an important result, as it implies termination of specialisation 
of such a call when the specialisation is performed by following the annotations 
corresponding to P' . More formally, we can define such an unfolding rule as 
follows: 

Definition 8. An atom Ain a goal at the leaf of an SLD-tree is selectable unless 
it is an instance of an atom in P that is replaced by true in P' . The unfolding 
rule Ubta unfolds the leftmost selectable atom in each goal of the SLD-tree under 
construction. If no atom is selectable, no further unfolding is performed. 

Now, the SLD-tree built by Ubta for PU {Q} is finite since Ubta unfolds - apart 
from Q - only atoms that are instances of an atom in P' . Moreover, every atom 
A that is not unfolded by Ubta ~ and hence present in the residual program - is 
a concretisation of a call in S' . Hence, building an SLD-tree for P U {A} again 
terminates. This kind of termination is often referred to as local termination: 
building a finite SLD-tree for each atom that is specialised. Constructing a finite 
set of atoms that are specialised involves a second kind of termination, often 
referred to as global termination. Global termination is not guaranteed by BTA 
alone. Indeed, the abstract callset S' is a finite set, but an infinite number of 
concretisations of the calls in S' may be constructed during specialisation. 



4 Experimental Evaluation 

Table m summarises a number of experiments that were run with an imple- 
mentation of the described binding-time analysis. The second column {Round!) 
presents the timings for termination analysis of the original program (in which 
all calls are annotated static). In case the outcome of the analysis is possible 
non-termination, the third column {Round2) presents the timings for termina- 
tion analysis of the program in which the problematic call is annotated dynamic. 
None of the benchmarks, which are taken from the DPPD library |12| . required 
more than two rounds of the termination analysis to derive a terminating anno- 
tated program. The benchmarks were run under SICStus Prolog 3.7.1 on a Sun 
Ultra E450 server with 256Mb RAM operating under SunOS 5.6. The fourth 
column in Table [I] contains the time needed to produce the specialised program 
using the logen system |0]. The final column contains the specialisation time 
of Mixtus m - a well-known on-line specialise!' for Prolog - as a reference 
point. Table [U shows that binding-time analysis is the most expensive operation 
in the specialisation process. However, recall that the results of binding-time 
analysis can be used to perform several specialisations (with respect to values 
approximated by the binding-times from the partial deduction query). For the 
considered benchmarks, the cost of binding-time analysis will be recovered after 
a few specialisations compared with Mixtus. Typical speedups obtained by the 
specialisation range from 1.15 to 2.23 for these benchmarks. 
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Table 1. Timings (in ms) for the binding-time analysis and full specialisation. 



Benchmark 


Round 1 


Round 2 


LOGEN 


Total 


Mixtus 


ex_depth 


240.0 


230.0 


4.4 


474 


200 


match 


470.0 


180.0 


2.4 


652 


50 


map . rev/ reduce 


200.0 


- 


4.3 


204 


100 


parser 


100.0 


50.0 


- 


150 


- 


regexpl-3 


740.0 


280.0 


15.1 


1035 


670 


transpose 


210.0 


150.0 


7.0 


367 


290 



5 Discussion 

In this work, we have taken a rather unusual approach towards binding-time 
analysis. Well-known techniques from termination analysis are adapted and used 
to annotate a program in successive steps, until it can be proven that specialisa- 
tion - rather than full evaluation - of a call terminates. Preliminary experiments 
show that the approach is feasible and results in more liberal unfoldings than 
with earlier known approaches that use separately generated (or hand crafted) 
termination conditions like |^. Examples are the solve example and the regexp 
benchmark from above, since in these programs, the ability to partially unfold a 
predicate call is crucial to achieve a fair amount of specialisation. In the solve ex- 
ample from Section|2] our analysis is able to compute that the call to solve_atom 
is the leftmost looping atom in the program’s second clause and that annotating 
this call dynamic suffices to obtain termination, and hence the results devised 
in Section The regexp benchmark is depicted in Fig. Assume we want to 
specialise this program for a query in which the first argument (the regular ex- 
pression that needs to be matched) is ground. Termination is not guaranteed, 
hence a binding-time analysis based on termination conditions would not be able 
to unfold any call to gen/3. Still, our binding-time analysis is able to spot the 
only problematic call sequence from head to body atom (underlined in Fig. [S|, 
marking the other calls static such that all calls except for the underlined one 
can be unfolded during specialisation. 

genCempty ,T,T) . 
gen(char(X) , [X|T] ,T) . 
gen(or(X,Y),H,T) gen(X,H,T) . 

gen(or(X,Y),H,T) gen(Y,H,T). 

gen(cat(X,Y) ,H,T) gen(X,H,Tl) , gen(Y,Tl,T). 
genCstar (X) ,T,T) . 

genCstar (X) ,H,T) gen(X,H,Tl), gen(star(X) ,T1,T) . 

Fig. 6. The regexp benchmark 

In contrast with |3] - being a polyvariant analysis - our binding-time analysis 
is monovariant: it creates only a single annotated version of every predicate. This 
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is not an issue in the benchmarks presented above, but for more involved pro- 
grams, the resulting annotations are likely to be suboptimal, since calls in which 
different arguments are instantiated enough are likely to expose a different termi- 
nation behaviour, and hence they might profit from being unfolded differently. 
Another characteristic of the analysis that might be an issue when analysing 
larger programs, is that the binding-time analysis basically deals with boolean 
binding-times: either a value is instantiated enough with respect to a norm, or 
it is not. Although some work exists towards automating the process of choos- 
ing a suitable norm, most systems require the norm to be selected by the user. 
The particular norm that is used by the system determines the granularity of a 
term that is considered static for binding-time analysis. The use of the termsize 
norm, for example, corresponds to distinguishing, during binding-time analysis, 
between definitely ground terms and possibly non ground terms. The use of the 
listlength norm, on the other hand, enables one to consider a term static when 
it is instantiated up to a list skeleton. Even if the norm is provided manually, 
finding a suitable norm might not be trivial or might even be impossible - in 
particular for programs that employ values of different types. These issues are 
not due to the binding-time analysis itself, but are rather connected with the 
termination analysis. We expect better (more precise) termination analyses to 
lead to better (more precise) binding-time analysis. 

In this work, we have used termination analysis to ensure - in an off-line set- 
ting - local termination of the specialisation process. A topic for further research 
is the use of termination analysis towards globally controlling the specialisation 
process as well. A possible approach towards ensuring (global) termination in off- 
line partial evaluation of functional programs is presented in [J. In this work, 
the output of a termination analysis is used to make enough values dynamic 
such that the program enters - during specialisation - only a finite number of 
different configurations (where a configuration is defined as a program point to- 
gether with values for the variables at that program point). If this is the case, 
the program is said to quasi-terminate and termination of partial evaluation is 
ensured by memoizing the configurations. A weakness of the approach of [Ij is 
that its termination analysis only recognises “in-situ” decreases, i.e. a decrease 
in the size of a single argument between recursive calls. A more general termina- 
tion analysis is developed in m, capable of dealing with indirect function calls 
and permuted arguments (lifting the in-situ criterion). Developing an analogous 
analysis for binding-time analysis is mentioned as an important issue in [lOj . The 
notion of quasi-termination for logic programs has also been explored [S] in the 
context of termination analysis of tabled logic programs. In |3], it is noted that 
global termination of the process is ensured if quasi-termination of the program 
with the residualised predicates tabulated can be established. Precisely how to 
integrate such a technique with a suitable and refined abstraction mechanism is 
an interesting topic for further research. 
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Abstract. The analysis of failed proof attempts is central to concept 
formation. This process essentially makes use of abduction, a form of 
reasoning that identifies explanations for an observed phenomenon. The 
main problem with abduction is the combinatorial explosion: the search 
space originated from a failed proof attempt is often unmanageable. A 
careful proof search guidance is thus required to enable a successful anal- 
ysis of failure. Fortunately, the search space generated by proof plan- 
ning i is moderately small. Using an abduction mechanism built upon 
proof planning [Ts], we have successfully patched 40 faulty conjectures 
about the HOT theory of lists [3]. On each faulty conjecture, our mecha- 
nism was able to synthesise a condition that turns the conjecture into a 
theorem. Each condition proved to be a concept that is known to be use- 
ful and interesting. This process is a form of concept formation. Concept 
formation was done automatically. Once refined, the conjectures can then 
be used to write a fast, uniform proof procedure for proving properties 
of list constants without effort. 



1 Introduction 

Understanding mal-formulations is central to both concept formation and the- 
ory refinement. Mal-formulations often become evident by the appearance of 
either a faulty proof, or a failed proof attempt. Experience has shown that fault 
analysis often holds the key for the completion of proofs, the discovery of lem- 
mas, the generalisation of theories and for the invention of new mathematical 
concepts [15]. 

We are interested in the analysis and correction of failed proof attempts, espe- 
cially where that correction involves the synthesis of new concepts. To approach 
fault correction, we use abduction. Abduction is a form of logical inference that 
can be used to uncover the causes of observed phenomena [20] . We use abduction 
when no further deduction is possible, exploring the associated partial proof tree. 
These trees are usually huge and might well be infinite. Thus, a careful search 
guidance is required if a combinatorial explosion is to be avoided. 

* The author is grateful to Simon Colton and the anonymous referees for providing 
invaluable, useful suggestions on an earlier version of this paper. This research was 
supported by CONACYT grants SEP-REDII and 33337-A. 
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Proof planning j6] is used to automate control of proof search. It makes use 
of heuristics that capture the way in which proof search should go while yielding 
mathematically natural proofs. Proof planning dramatically restricts the proof 
search space making it possible to exploit any failure or partial success. Thus it 
is a means of carefully guiding the use of abduction for the correction of faults, 
as shown in [T7IT81 . 

This paper reports on using abduction to develop a theory based on higher- 
order functions. The target theory is the list theory of HOT m , reported in [23] 
and based on the work of m- The motivation behind this decision is, amongst 
other things, of practical matters: Theorems about the higher-order functions 
of a theory can often be used to establish lots of theorems about user-defined 
constants with little effort. Thus we ultimately aim to suggest guidelines for 
building general proof procedures in the list theory of HOL. Thus, while the 
concepts we form might be for mathematicians, they are primarily intended to 
be employed by tools, such as HOL, to improve their performance. 

Concept formation in HOL’s list theory was done automatically. Human in- 
tervention was required only to speculate 40 conjectures, all related with the 
theory higher-order functions. Each conjecture was proof planned separately; 
upon failure, an abduction mechanism m was used to automatically identify 
a condition, if any, that turns the conjecture into a theorem. These conditions 
turned out to be properties that are known to be useful, e.g., associativity, com- 
mutativity, monoid, etc. 

1.1 Paper Overview 

The rest of this paper is organised as follows: 0 provides a short description 
of HOL’s list theory, while ^ and 21 respectively discuss proof planning and 
the abduction mechanism that we have built in it. Our approach to concept 
formation using abduction on proof planning failure is then presented in 21 Then 
we recapitulate experimental results found throughout our investigation 21 33 
briefly discusses related work. Conclusions drawn from our experiments, as well 
as indications for further work appear in 21 

2 A Theory of Lists Based on Higher-Order Functions 

The HOL theory of lists is based largely on the higher-order functions ‘fold left’ 
(foldl) and ‘fold right’ (foldr.) It involves proof methods that can prove theorems 
about many inductively defined constants, without using induction. The deduc- 
tion power of these methods originates in the use of conditional, higher-order 
rewrite-rules, extracted from theorems about foldl and foldr. 

Fold left and fold right are schematically specified as follows 0 

foldl F E Xo :: Xi r. ■■■■.: Xn = F .{F {F E Xq) Xi) . . .) 
foldr F E Xo :: = F Xq (F Xi (. . . (F X„ F) . . .)) 

^ H :: T denotes the list of head H and tail T; nil denotes the empty list. :: is the list 
constructor function. 
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where E and F respectively denote the base element and the step function. 
Formally, foldr and foldl are given by [23] : 

foldr F E ra\ = E 

foldr F E {H L) = F H (foldr EEL) 
foldl F E nil = E 

foldl F E {H L)= foldl F {F E H) L 

The fold functions provide a template with which we can conveniently define 
most list operations. A couple of examples would be illustrating. Let a natural 
number be represented as a list of booleans with the most significant bit at the 
head of the list0 Then to define a function, Iist2nat, that converts any one such 
a list to its corresponding natural number, we simply write: 

Iist2nat L = foldl (A E X.{2 x E) + X) Q L 

The second example is about an ordinary system operation, namely: list con- 
catenation, which is given by: 

VLi, L 2 - app Li L 2 = foldr :: L 2 Li 

From these definitions, we can derive the equations that are commonly asso- 
ciated with the recursive definition of both Iist2nat and app, namely: 

Iist2nat nil = 0 

Iist2nat {X :: L) = ((boolval X) x (2 exp(length L))) + (Iist2nat L) 
app nil L = L 

app E[ :: M L = E[ :: (app M L) 

where length and exp have their natural interpretation, returning the number 
of elements in a list and the result of multiplying the quantity base by itself a 
quantity exponent number of times, and where boolval converts a boolean into 
an integer number. 

Thus, using theorems about higher-order functions, we can write proof pro- 
cedures that can prove a number of theorems with little effort. 

This paper was prompted by the following observation: The more theorems 
about higher-order functions a proof procedure knows, the more powerful it 
is. We suggest that the abduction mechanism introduced in m can be used 
to automate the discovery of new theorems in the HOL theory of lists, while 
possibly yielding new concepts. 

As mentioned earlier in the text, our abduction mechanism is built within 
an existing proof plan for inductive theorem proving (described in |S] and im- 
plemented in the CL^M [S] proof planning system). While the proof plan for 
induction carefully guides the search for a proof, the abduction mechanism ex- 
ploits any failure or partial success attained along the way. We discuss these 
techniques below. 

^ This representation, called big-endian, is typical in applications of formal methods 
to hardware development. 
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3 Proof Planning 

Proof planning is a meta-level reasoning technique to automate control of proof 
search. A proof plan is a high-level representation of the general structure of the 
members of a proof family, and is used to guide the search for more proofs in 
that family. Proof planning works in the context of a tactical style of reasoning, 
building large, complex tactics out of simpler ones. It splits theorem proving 
into two tasks, one in which a proper tactic is assembled, and other in which the 
tactic is executed yielding an actual proof 

Methods are the building-blocks of proof planning. A method is a high-level 
description of a tactic. It specifies the preconditions under which the tactic is 
applicable and the effects of its application. The application of a method to 
a given goal consists in checking the preconditions against the goal and then 
determining the output new goals by computing the effects. 

Proof planning is the recursive process that reasons about and composes 
tactics. It returns a customised tactic together with its justification, called a proof 
plan. In the normal case of success, proof plan execution guarantees correctness 
of the final proof. Proof planning is cheaper than searching for a proof in the 
underlying object theory. This is for two reasons: First, each plan step covers 
a lot of object-level theorem proving steps: proof planning emphasises proof 
structure, filling in direct but tedious, onerous reasoning. Second, the method 
preconditions dramatically restrict the search space: backtracking hardly occurs. 

Given that it emphasises key steps and structure, proof planning makes it 
easy to guide the synthesis of programs while proving a specification state- 
ment [T]. This observation has been extensively elaborated, especially in the 
context of inductive theorem proving. 

3.1 The Proof Plan for Induction and Rippling 

Inductive proof planning is the application of proof planning to inductive theorem 
proving. It is characterised by a collection of methods, defined as follows: The 
induction method selects the most promising induction scheme via a process 
called rippling analysis. The base case(s) of proofs by induction are dealt with 
by the elementary and sym-cval methods. Elementary is a tautology checker 
for propositional logic and has limited knowledge of intuitionistic propositional 
sequents, type structures and properties of equality. Sym_eval simplifies the goal 
by means of exhaustive symbolic evaluation and other routine reasoning. 

Similarly, the step case(s) of proofs by induction are dealt with by the ripple 
and fertilise methods. Ripple applies rippling jl], a heuristic that guides trans- 
formations in the induction conclusion to enable the use of an hypothesis, called 
fertilisation. The proof plan for induction also involves generalise, a method 
that generalises away common sub-terms in an expression, such as an identity, 
an implication, etc. 

^ Sometimes, however, object-level steps need to be interleaved whilst assembling a 
tactic: In some cases, some of the later planning steps cannot be made without the 
detail provided by the earlier object-level ones. 
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Rippling exploits the observation that an initial induction conclusion is a 
copy of one of the hypotheses, except for extra terms, e.g., the successor func- 
tion, wrapping the induction variables. By marking such differences explicitly, 
rippling can attempt to place them at positions where they no longer prevent 
the conclusion and hypothesis from matching. Rippling is therefore an annotated 
term-rewriting system. It applies a special kind of rewrite rule, called a wave- 
rule, which manipulates the differences between two terms while keeping their 
common structure intact. 

Our abduction mechanism |18| is built within the inductive proof plan. It 
makes use of the plan’s heuristics so as to identify the restricted way in which 
the search for a proof can fail. Proof failure and its analysis is captured via a 
proof critic. 



3.2 Proof Planning with Critics 

The incorporation of an exception handler to proof planning is called proof plan- 
ning with critics |13| . The exception handler is invoked whenever the applicabil- 
ity preconditions of a method partially hold. Then, it will try the proof critics 
associated to such a method, if any, one at a time, in the order of appearance. 

Proof Critics are the building blocks of the exception handler. A proof critic 
specifies the conditions in which the search for a proof plan breaks down as well 
as providing the associated corrective action or patch. A critic is applicable if 
the current goal matches the input formula, the critic preconditions hold, and 
if the applicability preconditions of the method to which the critic is associated 
partially hold. 

Unlike the application of a method, the application of a proof critic does 
not refine the proof plan under construction. It just enables further proof plan- 
ning by means of a side effect. Critics effects may include a modification to 
the input formulae, e.g., generalisation or fault correction, or to the working 
theory, e.g., lemma discovery. Proof planning with critics has been successfully 
used for lemma discovery formula generalisation m and faulty formula 

correction mm- 

With this, we complete our revision of proof planning. We now describe the 
abduction mechanism used to concept formation. 

4 The Abduction Mechanism 

Our abduction mechanism m is used to exploit proof planning failure so as to 
correct faulty conjectures. Let X denote a tuple of distinct variables; then, given 
a theory, F, and a faulty conjecture, VX. G{X), the method builds a definition 
for a corrective predicate, P{X), such that: 

— P{X) is correct-. P h VX. P(X) ^ G(X); 

— P{X) is consistent: PU {P(X)} y- T; 

— P(X) is nontrivial: {P(X)} y G; and 

— P(X) is both terminating and well-defined. 
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The synthesis of a corrective predicate is driven by the proofs-as-programs 
principle |12j . which relates inference with computation. So a recursive predicate 
relates to an inductive proof attempt; likewise, a conditional predicate relates 
to the use of case analysis. The synthesis of a corrective predicate is taken as 
a program transformation task. Accordingly the abduction mechanism consists 
of a collection of construction commands, each of which is associated with a 
proof planning method and automatically executed upon plan formation. Thus, 
the abduction mechanism relies upon the proof planning paradigm: the careful 
search guidance used in proof plan formation drives the synthesis of, possibly 
recursive, corrective predicates. 

A construction command is a small program written in a meta-language. 
The meta-language consists, among other things, of a handful editing commands, 
geared towards the construction of conditional, recursive, equational procedures. 
An editing commands performs a low-level task, typical of a program editor, such 
as adding an argument, imposing a recursive structure, expanding a case into 
several sub-cases and so on. 

The abduction mechanism is built within CIAM and it operates during proof 
plan formation. Each goal is labelled with an equation that contains one or more 
predicate meta- variables. The input goal, VX. G{X), is labelled with P(X) = Pq 
and the aim of the abduction method is to instantiate Pq, the current predicate 
met a- variable, along a proof planning attempt of VIA. G{X). 

If r U {G(X)} h T, Pg will be set to false. Conversely, if P h VX. G{X), Pg 
will be trivially set to true. If VX. G(X) is faulty, Pg will be other than true or 
false and an algorithm for it will be constructed or identified. 

The construction commands are defined as follows: 

induction instantiates the current predicate meta- variable with an actual fresh 
predicate. The fresh predicate is so that it potentially has a recursive struc- 
ture that is dual to the inductive principle being applied. Each base or step 
case of the induction principle is pairwise associated with a predicate case, 
which it instantiates; 

elementary instantiates the current predicate meta-variable with the proposi- 
tion true; 

fertilise instantiates the current predicate variable so that it makes the current 
corrective predicate recursive; 

casesplit expands the current equation case into a number of cases, one for 
each case the proof is being split into; 

generalise instantiates the current predicate meta- variable with an actual fresh 
predicate that takes as argument the compound term that is being gener- 
alised away; and 

deadend does either of two things: If the dead end goal is inconsistent with 
the working theory, then deadend instantiates the current predicate meta- 
variable with the proposition false. Otherwise, dead end will abduct the dead 
end goal, adding it to the working theory. 
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Except for deadend, each construction command is associated with the proof 
planning method carrying its name. Deadend is associated with the base_case 
proof critic. It is invoked whenever no further proof planning is possible, with 
the proviso that symbolic evaluation was expected to establish the goal. 

To register predicate relations, the abduction method maintains a graph, 
in which each node is labelled with a predicate and the (outward) arcs of it 
point at the symbols in terms of which the predicate is defined. This so-called 
dependency graph is used to ensure that the corrective predicate is well-defined. 
Whenever the structure of a predicate changes, the mechanism runs a sort of 
garbage-collection algorithm which, using the dependency graph, updates the 
structure of all of the predicates. 

In the section that follows, we aim to illustrate the way in which CLAM, once 
it has been extended with the abduction mechanism, can be used to develop a 
theory via concept formation. 

5 Concept Formation via Abdnction on Proof Planning 
Failnre 

To attain concept formation in the HOT theory of lists, we follow the method- 
ology outlined below: 

1. Build a set of example faulty conjectures, each of which models an ‘attrac- 
tive’ property about the fold higher-order functions. An example property 
of this kind is as follows: “folding the concatenation of two lists amounts to 
manipulating the result of folding each list separately”; in symbols: 

h VF,E,Li,L 2 . foldrFE (app Li La) = F (foldrF ALi)(foldr F ALz) (1) 

where app stands for list concatenation. 

2. For each faulty conjecture of the test set, run the following experiment: 
take the conjecture, make CLAM try to proof plan it, simplify the output 
corrective predicate and then collect the concepts that have been formed. 
The steps of this experiment are all automated. 

On every run, our abduction mechanism identified a corrective predicate, turn- 
ing the associated conjecture into a theorem. Each corrective predicate proved 
to specify a property that is known to be useful, such as associativity, commu- 
tativity and so on. 

To illustrate our methodology, we work by example. Consider m again. By 
running CLAM, the partial proof plan associated to this conjecture was generated 
automatically. It consisted of 8 applications of the induction method, yielding 
the corrective predicate shown below: 

FmlL2FEXYZ^qL2FEXYZ 

Li)L2FEXY Z ^{PLiL2FEXY Z) A {RL1L2FEXYZ) 



QmlFEXY Z ^ /i 
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Q{H2:: L2)FEXY Z ^ {QLFEXY Z) A (Q'LEEXYZ) 

Q' nilFEXY Z ^ h 
Q' {H2 v. L2) F E XY Z T 

^{LinilF E XY Z R' LiFEXY Z 
RLi {H2 :: L2)FEXY Z ^R” L1L2EEXY Z 

^tlUFEXY Z I3 
R' {H2 :: L2)FEXY Z 

R” LinilFEXY Z ^ T 
R"Li {H2:: L2)FEXY Z ^SLiL2FEXY Z 

SmlL2FEXY Z ^ T 
S{Hi :: Li)L2FEXY Z ^S' L2EEXY Z 

S' nilFEXY Z ^ h 
S' {H2 :: L2)FEXY Z 

Where the terms /i, I2, I3 and I4 respectively stand for: 



And where the term variables X, Y and Z are either Skolem constants, as 
introduced by the induction method, or replace compound terms that appeared 
in both sides of the identity. 

At first, P seems to be meaningless, but a few, intuitive manoeuvres disclosed 
interesting bits. First, P is unnecessarily recursive; it can be proven to be equiv- 
alent to the conjunction of A {i S { 1 , . . . , 4 }). To get rid of redundancies, we use 
Walther’s simplification procedure m- Second, identity Ii is irrelevant, as can 
be subsumed by I2 or I3. These transformations return the conjunction of I2, 
I3 and I4. Together, these identities convey that E and E form a monoid: E is 
associative and E is both the left and right identity of E. 

In the next section, we summarise the results obtained throughout our in- 
vestigations. 

6 Experimental Results 

This section summarises the experimental results produced by a test, run on our 
abduction mechanism. 

Table [T] provides a description of the concepts that were discovered through 
our experimentation. Both concepts and their associated definition have straight- 
forward interpretation. Each concept captures a property that has proven to be 
useful. Concept formation is fully automatic. 



h 

I2 

h 

h 



E X {EY Z) = E {F X Y) Z 



F E E = E 
E E X = X 
E X E = X 
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Table 1. Concept Definitions 



Concept 


Definition 


leftJd F E 


F E X = X 


right_id F E 


F X E = X 


comm F 


F X Y = FYX 


assoc F 


F X (FY Z) = F {F X Y) Z 


fcomm F G 


F X {GY Z) = G {F X Y) Z 


fcomm-|- F G 


F X {GY Z) = GY {F X Z) 


fcomm-|— 1- F G F[ 


F {G X)Y = H X Y 


eqc F G E 


G E X = EXE 


eqdF G E 


F X Y = G X {F EY) 


flip H 


H AB = foldr F B A 


dist H 


H A {H B C) = H (app A B) G 



Table[2] shows some of the example faulty conjectures against which we tested 
our mechanism^ For each faulty conjecture, we provide the concepts formed by 
our method and the total elapsed planning time (FT), given in seconds. Most 
symbols in Table|2]have direct meaning, so we draw attention only to the symbols 
below: 

flatten: returns the result of concatenating the elements of a list of lists; 
map: applies a function to every element of a list; 
sort: sorts the elements of a list; and 
reverse: reverses a list. 

As shown by the worked example of ^ fault correction sometimes yields 
uninteresting formulae, e.g. FEE = E. Often, these formulae can be auto- 
matically eliminated using the simplest subsumption condition, term matching. 
Sometimes, however, term matching is not enough. Then, we found out that 
the associated formula constitutes an intermediate result. Though it does not 
contribute to the concept being formed, the lemma might be interesting in its 
own right. Table El shows the lemmas we formed; each lemma appeared in only 
one experiment. 

The whole test set included 40 experiments. Each faulty conjecture was suc- 
cessfully patched. Failure in plan formation occurred occasionally. Often, failure 
had its root in the absence of a bridging lemma. By contrast, changing the con- 
figuration of the inductive proof plan was almost unnecessary (1 out of 40). 
This took the form of adding an unusual method to the standard method data 
base. The method, called applyJ,emma, is used to apply a lemma that cannot 
be oriented as a reduction rule without running the risk of non-termination, e.g. 
commutativity. It is expensive in general and, so, a more elegant solution is, for 
example, to include symmetry of equality in symbolic evaluation. 

Due to space constrains, the symmetric results for foldl have been omitted from 
display. 
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Table 2. Example faulty conjectures 



Faulty Conjecture New Concept PT (secs) 

leftJd F E 

fo\dr F E {app L M) = F (fo\drF E L) (fo\dr F E M) rightJd E E 161.54 

assoc F 

leftJd G E 

foldrE E (app L M) = G (foldrE E L)(foldr E E M) rightJd G E 326.26 

fcomm E G 

right_id E E 

foldrEE(appLM) = E(foldrEEM)(foldrEEE) assoc E 403.98 

comm E 

leftJd G E 

foldrE E (app L M) = G (foldrE E M)(foldr E E L) rightJd G E 996.7 

fcomm+ E G 

foldrEE (flatE) = foldrEE (mapL(A 2 .foldrEEE)) rightJd E E 181.87 

assoc E 

leftJd G E 

foldrEE (flatE) = foldrGE (mapE (AE.foldrEEE)) rightJd G E 346.31 

fcomm E G 

foldr F {F XY) Z = G X (foldr F {F E Y) Z) fcomm+ E G 148.14 

eqd E G E 

foldr E E (rev L) = foldr EEL assoc E 107.23 

comm E 

foldr (AX, M. E (G X) M) E (rev L) assoc E 318.56 

= foldr (AX, M. F (G X) M) E L comm E 

foldr E E (rev L) = foldr GEL fcomm+ E G 128.33 

foldr E E (sort L) = foldr FEE assoc E 29.5 

comm E 

equc F G E 

foldrEEL = foldlGEL assoc E 109.95 

comm E 

foldr E (map L G) = foldr H B L A = B 46.46 

fcomm++ F G H 

A^B 

foldr E X (flat L) = foldr EEL flip H 22.13 

dist H 

comm E 

E X (foldr F E M) = foldr ELM assoc E 29.25 

leftJd E E 

foldl F {F XY) L = F X (foldl EEL) assoc E 40.55 
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Table 3. Formed lemmas 



Formed lemma 


Root Concepts 


FX{FYZ) =F{FYX)Z 


assoc F 
comm F 


GX{FY{FEZ)) =FY (FXZ) 


eqd F G E 
fcomm-|- F G 


G X [F {F EY) Z) = F {F XY) Z 


eqd F G E 
fcomm-|- F G 




leftJd G E 


G{FXE)Y = FXY 


right_id G E 
fcomm-|- F G 



The example faulty conjectures used in the test were gathered basically from 
four sources: Bird’s books I3I2I . the HOL98 corpus and Curzon and Wong’s 
paper m- Some theorems reported in these sources were artificially turned into 
a faulty formula. We also considered slight variations of them. 

A hand proof attempt tends to be shorter than a mechanical one. So a hu- 
man mathematician might spend lesser time spotting a fault — and sometimes 
its associated mend — specially when she knows what she is looking for. By con- 
trast, a mechanical proof is both long and tedious, since dead ends are found 
deeper in a proof attempt. In return, mechanical concept formation can be au- 
tomated and might find concepts that could have been missed otherwise. This 
is because an automated system explores branches that a human might close 
untimely, without worrying any further. 

The average total elapsed proof planning time was 253.6 sec, with a standard 
deviation of 253.5. Thus, the examples are done automatically within a few 
hundred seconds. The test was run on a 270MHz Ultra 5, a SuperSPARC machine 
with 64Mb of RAM running Solaris 7. The full test, as well as the abduction 
method, is available upon request, by sending electronic-mail to the author. 
Alternatively, readers may as well visit the following URL: 

http : //research. cem. itesm.mx/raulm/pub/ code/f ault-correction 



7 Related Work 

Concept formation has been an active area of research for many years. AM m, 
Graffiti [9l8j and HR [7j are amongst the most popular computer programs that 
automate theory discovery. These systems build on both an explicit representa- 
tion and a set of production rules. The rules exploit current knowledge, while 
associating to the results a level of interestingness. AM and HR are designed 
to invent and assess mathematical definitions. Both provide support to sustain 
why certain concepts that have been formed are taken as interesting. Then, 
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they use the most interesting ones to build a theory that includes definitions, 
computations, models, theorems and open conjectures. 

Graffiti is a conjecture discovery system developed to work in graph theory 
and chemistry. It has been successfully used to speculate a number of interesting 
conjectures, documented in over 60 manuscripts, including published papers, 
preprints, Ph.D. theses and technical reports. Only HR and Graffiti are still 
being used and only HR and Graffiti have added to Mathematics. AM never did 
invent anything new to mathematicians and has not been used for over 15 years. 

Gorrecting a faulty conjecture, via building a predicate, is not new. The 
first attempt at automatic fault correction was reported by [19j . In a similar 
vein, [lOj first pioneered the use of proofs-as-programs for the construction of 
a corrective condition. Franova and Kodratoff never formalised their approach, 
they call predicate synthesis, and described it only by example, hence, making 
it difficult for readers to reproduce their results. 

Protezen has also investigated the application of proofs-as-programs for fix- 
ing faulty conjectures m- He investigated the use of predicate synthesis in 
several interesting faulty conjectures, yielding conditional, recursive corrective 
predicates. However, like Franova and Kodratoff, Protzen did not provide a pro- 
cedural account of his method, introducing it by example only. 

Monroy [18j gave a formal means of mechanisation for predicate synthesis 
and other fault correction techniques found in the literature m- He has shown 
that an abduction framework, together with a methodology based on editing 
and construction commands, is helpful in constructing patching conditions for 
faulty conjectures. 



8 Conclusions and Indications for Further Work 

Abduction can be used to explore the tree associated to a failed proof attempt. 
This returns a collection of formulae, each of which represents a dead end for- 
mula, which the proof method could not develop any longer. Using both the dead 
end formulae and the structure of the partial proof tree, we can build a correc- 
tive predicate. Any one of these predicates amounts to a concept not present in 
the working theory; sometimes it involves a bridging lemma. The level of inter- 
estingness associated with the corrective predicates provides evidence for using 
abduction as a concept formation process. 

Using abduction blindly, however, could be a hopeless process. This is because 
the tree associated to a failed proof attempt is huge and possibly infinite. Proof 
planning has made our experimental results possible. This is both because it 
provides a significant level of automation in inductive theorem proving, and 
because, working at a meta-level, it dramatically restricts the abduction search 
space. 

Our results are promising; CLAM together with the abduction mechanism 
could be used to explore open conjectures in a theory. This might result in a 
proof or the production of a patching condition, that might well encompass an 
unknown, but interesting concept. 



Concept Formation via Proof Planning Failnre 735 



Our method is just an experiment in concept formation, leaving plenty of 
room for improvements. For example, by choosing a set of faulty conjectures 
with an ‘attractive’ property, we are in a way choosing the concept our method 
should find. Thus ongoing work is concerned with extending the method (or 
coupling it) with (exploratory) techniques that make use of interestingness to 
formulate open conjectures. What is more, a combined system would improve 
the level of automation, since our method would not require the open conjectures 
to be supplied by hand. 

Ongoing work is also concerned with exploring other application domains. 
While our method may not work as well where the underlying proofs have a less 
predictable structure, we reckon planning failure provides a means to concept 
formation that is worth exploring. 
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